On Wednesday 05 April 2006 13:49, "Lord Sauron" <[EMAIL PROTECTED]> wrote about 'Re: [gentoo-user] Beautification - Splash': > > You sent two copies of your message, one signed, the other not. You > > also didn't publish your public key on any keyserver that my kmail > > polls for keys (I think I poll 6 servers, though at least 3 of other > > shares keys among themselves, too). > > So that's what people are talking about whenever they say there's > gonna be a "public key signing!" I've been idly wondering what that > could be. > > Okay... that makes sense now.
No, a public key signing is when you verify that the key(s) provided by the keyserver match the person they are supposed to. The keyserver provides a key to you based on it's ID, and the key itself contains what emails address it can be attached to, but that's don't tell you that *I* signed it. You'd have to talk face-to-face with me (or some other pre-secured method) to know that *I* uploaded that key. Anyone can upload a key purporting to be from [EMAIL PROTECTED] and then send a message signed with that key. (Keys are essentially random, and anyone can send a mail with the "From" header saying "[EMAIL PROTECTED]". In the most paranoid case, mail TO [EMAIL PROTECTED] [assuming it isn't a send-only email address] can be intercepted by anyone with physical or root access to the computer pointed to by the MX record of volumehost.net. Everyone takes either key fingerprint, email address (or key ID), and personal ID that they expect to be able to give to others. Then they pair off in some organized fashion and exchange those items. At the end you go home to trust keys are what they purport to be and possibly sign them and publish the signatures. If you trust person X to thoroughly ID people, then a signature from X of Y's key tells you that Y's key actually belongs to person Y; so you can trust it. Thus, you can build a web of trust. > > This message is validly singed, although probably by a key you don't > > trust (nor should you until to verify the key actually belongs to the > > person it claims to). > > Most key servers use hardened linux or SE Linux, right? Since that is > what they're supposed to be for? I think I could scrape together > another cheap-o server to make into my own key server... that'd be > cool. If nothing else it'd be nice to play with it a bit : ) Most keyservers were up and running before hardened or SE Linux was available, but may have been upgraded. They are supposed to be difficult to break into and/or spoof, just like any public server, but they are *NOT* a source of trust. They accept and provide keys without any tests. They are a convenient publishing method, they are *NOT* part of the trust equation. There have been occasions, IIRC, that keyservers have been compromised, but since they aren't a source of trust, this isn't much of an issue. *Some* people /might/ trust any key obtained from a keyserver, but any technology can be incorrectly used, PKI is not exception. > > -- > > "If there's one thing we've established over the years, > > it's that the vast majority of our users don't have the slightest > > clue what's best for them in terms of package stability." > > -- Gentoo Developer Ciaran McCreesh > > I honestly hope you're just joking. Really, the world gets much > scarier when that is true... Check the Gmane archives if you don't believe me. Ciaran said it and has yet to even take notice of my signature quoting him. Hell, sometimes I almost believe it. In my most cynical moments, I think we should stop helping people install Gentoo, just so we have some minimum competency requirement for users. Then, I realize that I probably wouldn't have the wonderful Gentoo system I have now without the support of the other Gentoo users; I'd probably be running Debian. :/ -- "If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability." -- Gentoo Developer Ciaran McCreesh
pgp1TmaAZYh6E.pgp
Description: PGP signature
