Tim wrote: > Yeah, I know. It makes it hard for a second person to say that > they're John Doe, but it's still dead easy for one person to say > they are, in the first place. > > If another person decide they're going to claim their John Doe, make > a GPG/PGP key for their John Doe persona, their signed e-mails will > show up as being valid. They are, they person who made *their* key > also made their message. It's a different key than the other John > Doe, of course, but your mail &/or GPG/PGP client doesn't do that > sort of check. If you've got a gpg plugin for your mail that doesn't do this sort of check and provide a way to alert the user to the fact that the keys don't match, then that plugin is crap. It's also possible that many users don't understand how to work with the pgp system and thus they ignore important pieces of information. There is some amount of work that needs to be done by each user in order to avoid various pitfalls. I can assure you that if you signed your messages and I cared about verifying them, that I would notice very easily if someone else sent me signed message using the same name and address on a different key. :) > I haven't looked to closely at the packages, I'd hope however the > repos are managed do that. As I understand it, currently the signing of packages for updates is done manually by the admins. There is work afoot to create a signing server[1] which will be able to help automate this process. Obviously, keeping such a system secure is very important. > But have a look at the update notices. Those are signed by the > person maintaining that package, I've only seen self-signed > messages. None with a countersign to their signature. Where are those at? I don't subscribe to the package announcement list and looking at the archives I didn't see any signtures, so either I'm not looking at what you're talking about or the list software is filtering the sigs. I don't think that individual maintainers sign the announcement messages, at least I never saw that in any of the maintainer docs I've seen on pushing updates. I'm genuinely curious to know what notices you're referring to. [1] http://fedoraproject.org/wiki/JesseKeating/SigningServerSpecDraft -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If Stupidity got us into this mess, then why can't it get us out? -- Will Rogers (1879-1935)
Attachment:
pgpWtzw18RbVY.pgp
Description: PGP signature