On Fri, Nov 18, 2011 at 05:47:28PM -0600, Bruce Dubbs wrote: > > In a WoT there is no single authority, but a lot if transitive > relationships. A trusts B and B vouches for C, so A trusts C. The WoT > can be quite complicated as there are degrees of trust. How sure is A > that he trusts B? A lot? Some? A little? > > The idea behind the WoT is that you get together, face to face, with > others and sign each other's certificates. That trust relationship is > uploaded to a key server where others can use the fact that A trusts B > to establish how much trust to give D, E, and F. > > To use PGP, you do need to create a key, but you can keep it local. You > don't have to trust anyone else, but then you can't really use the PGP > key to do things other than encrypt or sign things for yourself. If > someone puts a signature on one website (e.g. a keyserver) and signs a > tarball that's on another site, then a bad guy has to break into both > sites to compromise the keys. Since the keys are distributed over > multiple sites, that's even harder. One simple thing that can be done > is to check that product (tarball, etc) is properly signed by *some* > key. Trusting that it is the correct key is up to you. > > It all boils down to how much verification do you need? For the WoT, > you have to decide what's good enough. > Thanks. I'll review this when I've managed to build, and boot, LFS-7.0 (my LFS scripts are now theoretically ready, but I'm sure they contain show-stopping errors, and I'm working my way through the scripts for things I want to build before rebooting (apart from checking the versions, it's only mundane things like dhclient [ bootscript patch, v000, prepared ], nfs, plus a load of other stuff which hopefully really will be mundane ;)
ĸen -- das eine Mal als Tragödie, das andere Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
