Digital signatures

Tim ignored_mailbox at yahoo.com.au
Fri Jul 13 04:21:43 UTC 2007 

Tim:
>> I don't see a problem in someone posting a signed message.  I do see a
>> problem in believing that they are who they claim to be.  There isn't
>> any verification done, it's self-signed (self created).  I've yet to
>> find *any* GPG/PGP key that was counter-signed by another person, let
>> alone one that was counter-signed by someone I trust.

Ed Greshko:
> Well, you don't have believe who they claim to be....but you have to admit
> that if someone like "David Boles" signs all of his emails and you get an
> email from someone claiming he is "David Boles" where he calls you "wanker"
> but the signature doesn't verify then you know the "original David Boles" is
> not to blame.  That is why key management is there where you can assign
> levels of trust.

Yeah, I know.  It makes it hard for a second person to say that they're
John Doe, but it's still dead easy for one person to say they are, in
the first place.

If another person decide they're going to claim their John Doe, make a
GPG/PGP key for their John Doe persona, their signed e-mails will show
up as being valid.  They are, they person who made *their* key also made
their message.  It's a different key than the other John Doe, of course,
but your mail &/or GPG/PGP client doesn't do that sort of check.

>> I think that is a glaring omission when it comes to RPM packages, or
>> even notices about updates.  Nevemind e-mails.

> Nahhh...  As long as you pickup the public key from a source you trust then
> there is no issue.

I haven't looked to closely at the packages, I'd hope however the repos
are managed do that.  But have a look at the update notices.  Those are
signed by the person maintaining that package, I've only seen
self-signed messages.  None with a countersign to their signature.

The obvious thing, to me, would have been to have package maintainers
GPG/PGP key countersigned by a key we ought to be able to trust
associated with Fedora or the repo system.

-- 
[tim at bigblack ~]$ rm -rfd /*^H^H^H^H^H^H^H^H^H^Huname -ipr
2.6.21-1.3228.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5.  Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

More information about the fedora-list mailing list