Re: More prominent link to verification hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 22 Feb 2016 18:21:04 -0000
"Ralf Senderek" <fedora@xxxxxxxxxxx> wrote:

> While signing new keys with old release keys would certainly help to
> make the attacker's job harder, it doesn't solve the trust problem. 

I don't think it even makes their job harder. 

> The one thing people would have to check is the fingerprint. That in
> itself would be sufficient even if the new key is not being signed by
> another one. The current download gives a fingerprint for the new
> Fedora 24 key:
> 
> Key fingerprint = 5048 BDBB A5E7 76E5 47B0  9CCC 73BD E983 81B4 6521
> 
> and this could as well be manipulated by the attacker who has access
> to the web server. Given that this fingerprint is actually correct,
> it would help if it was printed off-line in any publication
> authorized by Fedora. The use and distribution of the fingerprint to
> various places showing consistently the same information would make
> it near impossible to fake the key. If that had been done beforehand,
> all a new, ordinary user would have to do is to check this one
> fingerprint.

They would know that they should do this how? 

It is available on sks keyservers like keys.fedoraproject.org

> So please can someone convince me that the key above is really the
> right one? If so, using this fingerprint anywhere would help to build
> the trust that is not there yet.

In the end you are either trusting the https network or the gpg web of
trust. 

> Using HTTPS does not at all verify that the information you get is
> correct, it assures you of the correct origin, if https actually
> works as advertised, which in many cases it doesn't, But Red Had
> could publish the Fedora fingerprint as well on their servers. --

Sure, but who would know to look there?

If the site is compromised, most bets are off sadly. 

kevin

Attachment: pgpDOUUfctPtj.pgp
Description: OpenPGP digital signature

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux