On Mon, 22 Feb 2016 18:21:04 -0000 "Ralf Senderek" <fedora@xxxxxxxxxxx> wrote: > While signing new keys with old release keys would certainly help to > make the attacker's job harder, it doesn't solve the trust problem. I don't think it even makes their job harder. > The one thing people would have to check is the fingerprint. That in > itself would be sufficient even if the new key is not being signed by > another one. The current download gives a fingerprint for the new > Fedora 24 key: > > Key fingerprint = 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521 > > and this could as well be manipulated by the attacker who has access > to the web server. Given that this fingerprint is actually correct, > it would help if it was printed off-line in any publication > authorized by Fedora. The use and distribution of the fingerprint to > various places showing consistently the same information would make > it near impossible to fake the key. If that had been done beforehand, > all a new, ordinary user would have to do is to check this one > fingerprint. They would know that they should do this how? It is available on sks keyservers like keys.fedoraproject.org > So please can someone convince me that the key above is really the > right one? If so, using this fingerprint anywhere would help to build > the trust that is not there yet. In the end you are either trusting the https network or the gpg web of trust. > Using HTTPS does not at all verify that the information you get is > correct, it assures you of the correct origin, if https actually > works as advertised, which in many cases it doesn't, But Red Had > could publish the Fedora fingerprint as well on their servers. -- Sure, but who would know to look there? If the site is compromised, most bets are off sadly. kevin
Attachment:
pgpDOUUfctPtj.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
