On 4/5/06, Boyd Stephen Smith Jr. <[EMAIL PROTECTED]> wrote: > On Wednesday 05 April 2006 13:49, "Lord Sauron" > <[EMAIL PROTECTED]> wrote about 'Re: [gentoo-user] > Beautification - Splash': > > > You sent two copies of your message, one signed, the other not. You > > > also didn't publish your public key on any keyserver that my kmail > > > polls for keys (I think I poll 6 servers, though at least 3 of other > > > shares keys among themselves, too). > > > > So that's what people are talking about whenever they say there's > > gonna be a "public key signing!" I've been idly wondering what that > > could be. > > > > Okay... that makes sense now. > > No, a public key signing is when you verify that the key(s) provided by the > keyserver match the person they are supposed to. The keyserver provides a > key to you based on it's ID, and the key itself contains what emails > address it can be attached to, but that's don't tell you that *I* signed > it. You'd have to talk face-to-face with me (or some other pre-secured > method) to know that *I* uploaded that key. Anyone can upload a key > purporting to be from [EMAIL PROTECTED] and then send a message signed > with that key. (Keys are essentially random, and anyone can send a mail > with the "From" header saying "[EMAIL PROTECTED]". In the most > paranoid case, mail TO [EMAIL PROTECTED] [assuming it isn't a send-only > email address] can be intercepted by anyone with physical or root access > to the computer pointed to by the MX record of volumehost.net.
Yeah, no system is foolproof. > > > This message is validly singed, although probably by a key you don't > > > trust (nor should you until to verify the key actually belongs to the > > > person it claims to). > > > > Most key servers use hardened linux or SE Linux, right? Since that is > > what they're supposed to be for? I think I could scrape together > > another cheap-o server to make into my own key server... that'd be > > cool. If nothing else it'd be nice to play with it a bit : ) > > Most keyservers were up and running before hardened or SE Linux was > available, but may have been upgraded. They are supposed to be difficult > to break into and/or spoof, just like any public server, but they are > *NOT* a source of trust. They accept and provide keys without any tests. > They are a convenient publishing method, they are *NOT* part of the trust > equation. Yeah, I was just thinking Hardened Linux would be a good choice b/c it's more resistant to some cracker breaking in and screwing stuff up all over the place. "Good data in, good data out; bad data in, bad data out" is the keyserver, but I don't want cracker pinhead to take the data and make it bad. > > > "If there's one thing we've established over the years, > > > it's that the vast majority of our users don't have the slightest > > > clue what's best for them in terms of package stability." > > > -- Gentoo Developer Ciaran McCreesh > > > > I honestly hope you're just joking. Really, the world gets much > > scarier when that is true... > > Check the Gmane archives if you don't believe me. Ciaran said it and has > yet to even take notice of my signature quoting him. Hell, sometimes I > almost believe it. In my most cynical moments, I think we should stop > helping people install Gentoo, just so we have some minimum competency > requirement for users. Yeah, there is a significant advantage to having competent users, however, when you make that distinction you narrow your target audience to so few people... > Then, I realize that I probably wouldn't have the wonderful Gentoo system I > have now without the support of the other Gentoo users; I'd probably be > running Debian. :/ I was a good person and learned all I could on Debian before trying Gentoo. That's why you don't see me asking questions like "what's bash" and "where's the start menu?" Luckily for you, that's where I picked up what few mailing-list manners I have ; ) You should have seen my posts before... scary. -- ========== GCv3.12 ========== GCS d-(++) s+: a? C++ UL+>++++ P+ L++ E--- W+(+++) N++ o? K? w--- O? M+ V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+ DI+++ D+ G e* h- !r !y ========= END GCv3.12 ======== -- gentoo-user@gentoo.org mailing list