On Wed, Sep 3, 2008 at 8:42 PM, Bill Davidsen <davidsen@xxxxxxx> wrote: > Patrick O'Callaghan wrote: >> >> On Wed, 2008-09-03 at 10:30 -0400, Bill Davidsen wrote: >>> >>> hardest of all find a secure way to provide the public part of the >>> signing key >> >> The whole point about asymmetric encryption is that you don't need a >> secure distribution channel. The worst that can happen is that some fake >> public key gets distributed, which won't match the private key and hence >> will be instantly detectable. >> > NAK - if a fake public key were distributed then packages signed with the > fake key would be matched, allowing full access to install crap in your > machine. And packages signed with any valid redhat key would be rejected. > > The public key really must be distributed in a secure manner. Isn't the point of a Public Key to be publicly distributed? The Private Key is what you closely guard against all tampering. ~af -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
