Verification via the web of trust

Ben McGinnes ben at
Fri Mar 25 21:08:19 CET 2016

On Tue, Mar 22, 2016 at 06:43:20PM +0000, Andrew Gallagher wrote:
> On 22/03/16 18:30, Peter Lebbing wrote:
> > On 22/03/16 19:14, Andrew Gallagher wrote:
> >> All this is true. But this does not help *me* one iota.
> > 
> > It sounds to me like you're not looking for the Web of Trust, which is indeed
> > very limited in its options. Instead, you are probably looking for something
> > more like TOFU, in the sense that this developer whose signature you see is the
> > same one whose signature you saw last time.
> Only for a project with one developer! Otherwise, the person who signs
> it could legitimately change between releases. Large projects often have
> a separate release signing key, but not apache it seems...

A lot of larger projects leave component signing to the key of whoever
manages that component rather than having one signing key which is
shared amongst an ever widening group of approved managers.  The Tor
Project is one, Python is another.

Far easier to say between version X and Y, the correct key was this
one, belonging to Alice and since then it's been Bob than to have to
deal with "hey, our Über-Auth key just got compromised, everyone needs
to update and how do we contact those people who don't always refresh
their keys, but do download the packages ... "

Now whether those developers have a different key to sign the projects
they're working on to their correspondence key(s), is another matter
and presumably a decision left to each developer or build manager.

> And at the risk of getting shot down (again), TOFU doesn't work. Not
> because TOFU is broken (it's a perfectly valid method), but because
> *people* are broken. How many times have you blithely clicked through an
> ssh "WARNING: the remote host key has changed!" prompt? ;-)

I just enforce strict.  Normally they only change because I've wiped
and reinstalled the server's OS and I know whose fault that is.  ;)

There's also TOFU+PGP and whichever default policy you want.  I
suspect most people go with either unknown or undefined.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: </pipermail/attachments/20160326/c717f5d5/attachment.sig>

More information about the Gnupg-users mailing list