On Sat, Sep 03, 2011 at 02:36:54PM -0400, [email protected] wrote 2.2K bytes in 43 lines about: : Is there a solution for this specific case? Someone claiming to be : Roger Dingledine included a PGP signature block in the msg that : started this thread. Nobody's responded "Hey! That wasn't me!!" or : "That's not my PGP sig!" so it seems safe enough to trust that sig. : Is there a secure way to get from that PGP sig to whatever's necessary : for verifying a TOR package one just downloaded?
This is what the pgp web of trust is about. you can either meet roger, or erinn, or me, or mikeperry, or jacob, etc and have us physically hand you our pgp fingerprints. Or you can trust someone who has met us and signed our keys, that you then trust. Or trust someone who has trusted someone who has met us and trusted us. Trust is like onions, onions have layers. Trust is not like parfaits. https://secure.wikimedia.org/wikipedia/en/wiki/Web_of_trust -- Andrew pgp key: 0x74ED336B _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
