On Mon, 22 Feb 2016 19:22:24 -0000 "Ralf Senderek" <fedora@xxxxxxxxxxx> wrote: > > If the site is compromised, most bets are off sadly. > > Yes, for people who look only in one place, the manipulated web > server. But that is the reason why the fingerprint has to pop up in > different places where it is hard to fake. Even if this one user can > be tricked, others can discover that the site is compromised if the > fingerprint is independently recorded many times elsewhere. But how would anyone even know to look there? Or if someone told you: "you should check for this key fingerprint on 10 sites before you trust it", an intruder could just spin up 10 random sites that mention their compromised key. I see what you are getting at, but it would only help people heavily involved in the project any. > BTW, pointing to a key server is not the way to convince anyone. A > key server is a convenient way to get keys, not a tool to assure > their authenticity. So I don't think that there is much of an > alternative other than someone stepping in and provide some > first-hand knowledge about the key. -- My point was that you can get the signatures off the key from the keyserver and see if any of them are someone you trust. If not, are they connected to someone you trust (hey, look, web of trust). I think expanding the web of trust on the signatories of the keys would help more than just trying to distribute the key fingerprint "lots of places". kevin
Attachment:
pgpkKwfu2MU_c.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx