Re: More prominent link to verification hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 22 Feb 2016 19:22:24 -0000
"Ralf Senderek" <fedora@xxxxxxxxxxx> wrote:

> > If the site is compromised, most bets are off sadly.   
> 
> Yes, for people who look only in one place, the manipulated web
> server. But that is the reason why the fingerprint has to pop up in
> different places where it is hard to fake. Even if this one user can
> be tricked, others can discover that the site is compromised if the
> fingerprint is independently recorded many times elsewhere.

But how would anyone even know to look there? 
Or if someone told you: "you should check for this key fingerprint on
10 sites before you trust it", an intruder could just spin up 10 random
sites that mention their compromised key. 

I see what you are getting at, but it would only help people heavily
involved in the project any. 

> BTW, pointing to a key server is not the way to convince anyone. A
> key server is a convenient way to get keys, not a tool to assure
> their authenticity. So I don't think that there is much of an
> alternative other than someone stepping in and provide some
> first-hand knowledge about the key. --

My point was that you can get the signatures off the key from the
keyserver and see if any of them are someone you trust. If not, are
they connected to someone you trust (hey, look, web of trust). I think
expanding the web of trust on the signatories of the keys would help
more than just trying to distribute the key fingerprint "lots of
places".

kevin

Attachment: pgpkKwfu2MU_c.pgp
Description: OpenPGP digital signature

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux