On 4/5/06, Boyd Stephen Smith Jr. <[EMAIL PROTECTED]> wrote:
> On Wednesday 05 April 2006 13:49, "Lord Sauron"
> <[EMAIL PROTECTED]> wrote about 'Re: [gentoo-user]
> Beautification - Splash':
> > > You sent two copies of your message, one signed, the other not. You
> > > also didn't publish your public key on any keyserver that my kmail
> > > polls for keys (I think I poll 6 servers, though at least 3 of other
> > > shares keys among themselves, too).
> >
> > So that's what people are talking about whenever they say there's
> > gonna be a "public key signing!" I've been idly wondering what that
> > could be.
> >
> > Okay... that makes sense now.
>
> No, a public key signing is when you verify that the key(s) provided by the
> keyserver match the person they are supposed to. The keyserver provides a
> key to you based on it's ID, and the key itself contains what emails
> address it can be attached to, but that's don't tell you that *I* signed
> it. You'd have to talk face-to-face with me (or some other pre-secured
> method) to know that *I* uploaded that key. Anyone can upload a key
> purporting to be from [EMAIL PROTECTED] and then send a message signed
> with that key. (Keys are essentially random, and anyone can send a mail
> with the "From" header saying "[EMAIL PROTECTED]". In the most
> paranoid case, mail TO [EMAIL PROTECTED] [assuming it isn't a send-only
> email address] can be intercepted by anyone with physical or root access
> to the computer pointed to by the MX record of volumehost.net.
Yeah, no system is foolproof.
> > > This message is validly singed, although probably by a key you don't
> > > trust (nor should you until to verify the key actually belongs to the
> > > person it claims to).
> >
> > Most key servers use hardened linux or SE Linux, right? Since that is
> > what they're supposed to be for? I think I could scrape together
> > another cheap-o server to make into my own key server... that'd be
> > cool. If nothing else it'd be nice to play with it a bit : )
>
> Most keyservers were up and running before hardened or SE Linux was
> available, but may have been upgraded. They are supposed to be difficult
> to break into and/or spoof, just like any public server, but they are
> *NOT* a source of trust. They accept and provide keys without any tests.
> They are a convenient publishing method, they are *NOT* part of the trust
> equation.
Yeah, I was just thinking Hardened Linux would be a good choice b/c
it's more resistant to some cracker breaking in and screwing stuff up
all over the place.
"Good data in, good data out; bad data in, bad data out" is the
keyserver, but I don't want cracker pinhead to take the data and make
it bad.
> > > "If there's one thing we've established over the years,
> > > it's that the vast majority of our users don't have the slightest
> > > clue what's best for them in terms of package stability."
> > > -- Gentoo Developer Ciaran McCreesh
> >
> > I honestly hope you're just joking. Really, the world gets much
> > scarier when that is true...
>
> Check the Gmane archives if you don't believe me. Ciaran said it and has
> yet to even take notice of my signature quoting him. Hell, sometimes I
> almost believe it. In my most cynical moments, I think we should stop
> helping people install Gentoo, just so we have some minimum competency
> requirement for users.
Yeah, there is a significant advantage to having competent users,
however, when you make that distinction you narrow your target
audience to so few people...
> Then, I realize that I probably wouldn't have the wonderful Gentoo system I
> have now without the support of the other Gentoo users; I'd probably be
> running Debian. :/
I was a good person and learned all I could on Debian before trying
Gentoo. That's why you don't see me asking questions like "what's
bash" and "where's the start menu?"
Luckily for you, that's where I picked up what few mailing-list
manners I have ; )
You should have seen my posts before... scary.
--
========== GCv3.12 ==========
GCS d-(++) s+: a? C++ UL+>++++ P+
L++ E--- W+(+++) N++ o? K? w--- O? M+
V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+
DI+++ D+ G e* h- !r !y
========= END GCv3.12 ========
--
gentoo-user@gentoo.org mailing list
