on 7/12/2007 10:12 PM, Todd Zullinger wrote: > Tim wrote: >> Yeah, I know. It makes it hard for a second person to say that >> they're John Doe, but it's still dead easy for one person to say >> they are, in the first place. >> >> If another person decide they're going to claim their John Doe, make >> a GPG/PGP key for their John Doe persona, their signed e-mails will >> show up as being valid. They are, they person who made *their* key >> also made their message. It's a different key than the other John >> Doe, of course, but your mail &/or GPG/PGP client doesn't do that >> sort of check. > > If you've got a gpg plugin for your mail that doesn't do this sort of > check and provide a way to alert the user to the fact that the keys > don't match, then that plugin is crap. > > It's also possible that many users don't understand how to work with > the pgp system and thus they ignore important pieces of information. > There is some amount of work that needs to be done by each user in > order to avoid various pitfalls. > > I can assure you that if you signed your messages and I cared about > verifying them, that I would notice very easily if someone else sent > me signed message using the same name and address on a different key. > :) > >> I haven't looked to closely at the packages, I'd hope however the >> repos are managed do that. > > As I understand it, currently the signing of packages for updates is > done manually by the admins. There is work afoot to create a signing > server[1] which will be able to help automate this process. > Obviously, keeping such a system secure is very important. > >> But have a look at the update notices. Those are signed by the >> person maintaining that package, I've only seen self-signed >> messages. None with a countersign to their signature. > > Where are those at? I don't subscribe to the package announcement > list and looking at the archives I didn't see any signtures, so either > I'm not looking at what you're talking about or the list software is > filtering the sigs. > > I don't think that individual maintainers sign the announcement > messages, at least I never saw that in any of the maintainer docs I've > seen on pushing updates. I'm genuinely curious to know what notices > you're referring to. > > [1] http://fedoraproject.org/wiki/JesseKeating/SigningServerSpecDraft FYI Tim. Todd is Todd. He checks out. I still don't know just who you are however. ;-) -- David
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list