On 03/24/2016 02:53 AM, Peter Lebbing wrote:
On 23/03/16 22:07, Doug Barton wrote:
1. You don't know if the key was in full control of the
person/organization it purports to represent before, during, or after
the signatures you are trusting were applied.
2. You don't know if the person in control of the key at the time the
thing you care about was signed was being coerced, or not.
These situations are rather more extreme than "is somebody MITM'ing my
connection to the apache.org webserver". If you can decide that somebody
authorized by the Apache Foundation to sign off on releases actually did
sign the code you got, that's actually of value.
But that's precisely my point. You have no idea what individual was
actually responsible for signing the package you're downloading. It
*could* be the same trusted package uploader that has signed the last
few packages you grabbed, or it could be a nefarious individual who
managed to get hold of Apache's secret key. My point is that there is no
volume of signatures on or leading up to that key which will answer this
question for you.
The trust starts somewhere, there is always some base step where you say
"I can't verify further, this will do". There are no absolutes in this
game. In fact, the two points you give are /always/ valid. They do not
make signatures useless.
I didn't say that they are useless. I said that we have to be realistic
about what their value is (and isn't).
Doug
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
