On 23/03/16 22:07, Doug Barton wrote: > 1. You don't know if the key was in full control of the > person/organization it purports to represent before, during, or after > the signatures you are trusting were applied. > > 2. You don't know if the person in control of the key at the time the > thing you care about was signed was being coerced, or not.
These situations are rather more extreme than "is somebody MITM'ing my connection to the apache.org webserver". If you can decide that somebody authorized by the Apache Foundation to sign off on releases actually did sign the code you got, that's actually of value. The trust starts somewhere, there is always some base step where you say "I can't verify further, this will do". There are no absolutes in this game. In fact, the two points you give are /always/ valid. They do not make signatures useless. If I can conclude that the Debian project accepts signatures by someone for releases of the Apache webserver, I feel pretty confident that so can I. Somebody might actually be playing a very intricate game. Well, they seem to have managed to subvert a majorly large Linux distribution[1], I might as well give up against this actor, I'm no match for them. My 2 cents, Peter. [1] Or alternatively, the installation media from which I installed Debian, because again, the trust has to start somewhere. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
