Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 5, 2008 at 5:09 PM, Todd Zullinger <tmz@xxxxxxxxx> wrote:
> 1) I don't know where you get the idea that one person that everyone
> trusts must sign the key for any signatures to be valid.  That's not
> what the web of trust if about.

Yes of course.. a chain of trust... i mispoke. Let me be more
deliberate.  A single signature that everyone ends up trusting through
their own personal chains of trust. I don't really think one signature
is going to suffice for everyone who cares about this to the point of
requesting detected signatures be included with the key in the
package.  If Jesse signs it and posts that signature to the key server
is that going to suffice for everyone who needs signature assurance?
Is Jesse really in everyone's web of trust?

> If Jesse Keating or other rel-eng folks with access to the private key
> sign the key, it holds some weight as they are the folks that can
> properly verify the key.

It only holds weight if those with signing authority with the key also
cross-sign their personal keys using the package signing key. The only
way to verify access to the key is to sign with the key.  So for this
to mean anything at all, we'll need to get the people with signing
authority  to sign  their personal gpg key with the signing key  as
well as sign the signing key  with their personal key  then submit
both signatures to a public keyserver for verification or you'll not
have any verifiable evidence that these people have access to the
signing key at all. God forbid you take my word for it that Jesse or
anyone else actually has signing authority.   Without the
cross-signing, you are just taking our collective word for who has
access to the key.  And there's no point in included the detached sigs
unless we also include the personal signing keys and the associated
cross-signatures. Again its just all more effectively done via public
keyserver operations.  If you can wait for it, I can try to make sure
that the people with signing authority do the cross-signing with their
personal keys and public keyserver publishing. But its not going to
happen before the key is pushed out in the fedora-release package.
This is probably a good topic for the next scheduled rel-eng meeting
or FESCo meeting if it doesn't happen by then.

-jef

-jef

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux