Hi, the program gpg writes about the Debian CD signing key DA87E80D6294BE9B : > > > WARNING: This key is not certified with a trusted signature! > > > There is no indication that the signature belongs to the owner
I wrote: > > This is a security usability problem. How is a non-expert to know that > > this warning can be ignored, while others must be tended to? Jeffrey Walton wrote: > This is a security usability problem. How is a non-expert to know that > this warning can be ignored, while others must be tended to? Yep. Didactically is is quite unfortunate. It would be interesting to learn how to connect the key to a web of trust which would suppress this warning everywhere. But reading https://www.gnupg.org/gph/en/manual/x334.html "Validating other keys on your public keyring" https://gnupg.org/download/integrity_check.html (GnuPG's own download integrity check presciptions) i get the impression that there is no global web of trust to attach to. > The answer is, the non-expert does not know. Nearly nobody can judge how safe a gpg signature is. The algorithms are complicated and the interface towards human users invites for mistakes and misunderstandings. > > https://www.debian.org/CD/verify > The page does not provide a prescriptive recipe on how to do what it > says to do. In general one cannot give such a receipe without knowing the system on which the verification shall happen. But i agree that a tangible example for an existing Debian old-stable system could help even those who use something else. > > Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B > > echo "DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B" | sed -e 's/ > > //g' > Something needs to be fixed here. I meanwhile get the impression that this is not needed in real life, because my local gpg states the fingerprint with the same blanks as on the Debian web page: Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B So i assume that Thomas George's reported line ...Primary key fingerprint: DF9B9C49EAA9298432589D76DA87E80D6294BE9B fell victim to editing or mail client. (But we see how difficult it is to give a general description of the procedure.) > One last thought... https://www.debian.org/CD/verify should probably > be moved to the wiki. That would probably not be a good idea. The page offers the official keys for download and states their official key fingerprints. Such a page should be editable only by the most authorized people. But www.debian.org/CD/verify could point to a public wiki where users show their favorite ways to do the verification. Such a wiki would of course need to be constantly observed by users who dispute and remove any attempt of deception. Have a nice day :) Thomas