Re: Digital signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tim:
>> I don't see a problem in someone posting a signed message.  I do see a
>> problem in believing that they are who they claim to be.  There isn't
>> any verification done, it's self-signed (self created).  I've yet to
>> find *any* GPG/PGP key that was counter-signed by another person, let
>> alone one that was counter-signed by someone I trust.

Ed Greshko:
> Well, you don't have believe who they claim to be....but you have to admit
> that if someone like "David Boles" signs all of his emails and you get an
> email from someone claiming he is "David Boles" where he calls you "wanker"
> but the signature doesn't verify then you know the "original David Boles" is
> not to blame.  That is why key management is there where you can assign
> levels of trust.

Yeah, I know.  It makes it hard for a second person to say that they're
John Doe, but it's still dead easy for one person to say they are, in
the first place.

If another person decide they're going to claim their John Doe, make a
GPG/PGP key for their John Doe persona, their signed e-mails will show
up as being valid.  They are, they person who made *their* key also made
their message.  It's a different key than the other John Doe, of course,
but your mail &/or GPG/PGP client doesn't do that sort of check.

>> I think that is a glaring omission when it comes to RPM packages, or
>> even notices about updates.  Nevemind e-mails.

> Nahhh...  As long as you pickup the public key from a source you trust then
> there is no issue.

I haven't looked to closely at the packages, I'd hope however the repos
are managed do that.  But have a look at the update notices.  Those are
signed by the person maintaining that package, I've only seen
self-signed messages.  None with a countersign to their signature.

The obvious thing, to me, would have been to have package maintainers
GPG/PGP key countersigned by a key we ought to be able to trust
associated with Fedora or the repo system.

-- 
[tim@bigblack ~]$ rm -rfd /*^H^H^H^H^H^H^H^H^H^Huname -ipr
2.6.21-1.3228.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5.  Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.



-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux