Verification via the web of trust

Doug Barton dougb at
Thu Mar 24 20:40:23 CET 2016

On 03/24/2016 02:53 AM, Peter Lebbing wrote:
> On 23/03/16 22:07, Doug Barton wrote:
>> 1. You don't know if the key was in full control of the
>> person/organization it purports to represent before, during, or after
>> the signatures you are trusting were applied.
>> 2. You don't know if the person in control of the key at the time the
>> thing you care about was signed was being coerced, or not.
> These situations are rather more extreme than "is somebody MITM'ing my
> connection to the webserver". If you can decide that somebody
> authorized by the Apache Foundation to sign off on releases actually did
> sign the code you got, that's actually of value.

But that's precisely my point. You have no idea what individual was 
actually responsible for signing the package you're downloading. It 
*could* be the same trusted package uploader that has signed the last 
few packages you grabbed, or it could be a nefarious individual who 
managed to get hold of Apache's secret key. My point is that there is no 
volume of signatures on or leading up to that key which will answer this 
question for you.

> The trust starts somewhere, there is always some base step where you say
> "I can't verify further, this will do". There are no absolutes in this
> game. In fact, the two points you give are /always/ valid. They do not
> make signatures useless.

I didn't say that they are useless. I said that we have to be realistic 
about what their value is (and isn't).


More information about the Gnupg-users mailing list