Verification via the web of trust
Doug Barton
dougb at dougbarton.email
Thu Mar 24 20:40:23 CET 2016
On 03/24/2016 02:53 AM, Peter Lebbing wrote:
> On 23/03/16 22:07, Doug Barton wrote:
>> 1. You don't know if the key was in full control of the
>> person/organization it purports to represent before, during, or after
>> the signatures you are trusting were applied.
>>
>> 2. You don't know if the person in control of the key at the time the
>> thing you care about was signed was being coerced, or not.
>
> These situations are rather more extreme than "is somebody MITM'ing my
> connection to the apache.org webserver". If you can decide that somebody
> authorized by the Apache Foundation to sign off on releases actually did
> sign the code you got, that's actually of value.
But that's precisely my point. You have no idea what individual was
actually responsible for signing the package you're downloading. It
*could* be the same trusted package uploader that has signed the last
few packages you grabbed, or it could be a nefarious individual who
managed to get hold of Apache's secret key. My point is that there is no
volume of signatures on or leading up to that key which will answer this
question for you.
> The trust starts somewhere, there is always some base step where you say
> "I can't verify further, this will do". There are no absolutes in this
> game. In fact, the two points you give are /always/ valid. They do not
> make signatures useless.
I didn't say that they are useless. I said that we have to be realistic
about what their value is (and isn't).
Doug
More information about the Gnupg-users
mailing list