There is a way to know how many "hops" are a key from anything I trust and see the path?
On Tue, Mar 22, 2016 at 7:43 PM, Andrew Gallagher <[email protected]> wrote: > On 22/03/16 18:30, Peter Lebbing wrote: >> On 22/03/16 19:14, Andrew Gallagher wrote: >>> All this is true. But this does not help *me* one iota. >> >> It sounds to me like you're not looking for the Web of Trust, which is indeed >> very limited in its options. Instead, you are probably looking for something >> more like TOFU, in the sense that this developer whose signature you see is >> the >> same one whose signature you saw last time. > > Only for a project with one developer! Otherwise, the person who signs > it could legitimately change between releases. Large projects often have > a separate release signing key, but not apache it seems... > > And at the risk of getting shot down (again), TOFU doesn't work. Not > because TOFU is broken (it's a perfectly valid method), but because > *people* are broken. How many times have you blithely clicked through an > ssh "WARNING: the remote host key has changed!" prompt? ;-) > > A > > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users > _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
