On 23 February 2016 at 12:13, Ralf Senderek <fedora@xxxxxxxxxxx> wrote: > > On Tue, 23 Feb 2016, Till Maas wrote: > >> You can already get the keys at various places: >> >> - Fedora website >> - physical DVDs >> - fedora-repos git repository >> - fedora-repos RPM on kojipkgs >> - fedora-repos RPM Fedora mirrors >> - Fedora ISO images on Fedora mirrors >> - Eventually DNSSEC protected from DNS > > > I was very clear in saying fingerprint not keys. The original key file from > the website contains only self-signed keys. The only way to know if these > are valid is to check the fingerprint. > > >> Also all recent Fedora keys were signed by me. So how many different >> places do we need to make it secure? I am also very interested in making >> this secure, but adding more random places to look does not help unless >> people a actually looking there. > > > Printing the fingerprint in prominent places makes faking the key > nearly impossible, even if the ordinary user doesn't look there. > "prominent places" is the part that needs work here. This isn't the 1990's when setting up a website was hard and mailing out a physical copy of the fingerprint was cheaper. I could set up a dozen websites all claiming to have the "fingerprint" for near zero cost. How is anyone going to know that is the valid one or not? >> And since you did not notice that I >> signed the GPG keys, I guess you did not look much as well. > > > You didn't sign it in the download file from the verify page. > Signing a key only helps if it is an assurance that the signer has checked > the fingerprint. I could have signed the keys as well, but I didn't > because I don't know anything about the fingerprint from first-hand. > > If you have a valid means of checking the fingerprint with the creator > of the key and publicly confirm the fingerprint on the mailing list, > this would be a step forward. > If you have a definition of what valid means are... then that might be possible. However I have spent way too many meetings and conversations trying to come up with "enough" assurance and finding that every way gets "we don't believe that is valid because this is the 30 ways it could have been circumvented." > >> Btw before suggesting what to provide, maybe think of the instructions >> for users that would explain how to verify the keys > > > They are already asking the user on the verify page to run a gpg command, > displaying the fingerprint is as easy as that. > > If you think you can improve things by signing keys, then take Gregory's > advice and create a long-term signing key and add it's signature to new > fedora release keys. AND print the fingerprint of this one key in > many prominent places. > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
