[Please CC Johannes Thomas Nix on replies; he's not subscribed.]
* Johannes Thomas Nix <johannes.thomas....@posteo.net>, 2016-08-11, 09:16:
Found on Reddit a mention of the debian-devel thread about finding GPG
key collisions for developer keys.
Why I write, a while ago I thought about these issues of key
verification, and resulted in making a small tool which can discover
and check trust paths within the PGP web of trust. It uses the "PGP
pathfinder" service to discover signature chains. It also warns about
collisions.
The thing is still somewhat experimental (probably not suited for
general use) but it might be helpful in situations like this.
https://gitlab.com/jnxx/check-trustpaths
Very interesting.
Sounds vaguely similar to Enrico's verify-trust-paths:
https://github.com/spanezz/verify-trust-paths
I am not writing this to debian-devel as I am not myself on the list.
We welcome contributions from people who are not subscribed, too.
If you think this is on topic and helpful, you are allowed to share
this message.
Done!
--
Jakub Wilk