Re: ISO md5sum signing paranoia
The idea is that either YOU meet these people, or that somebody you trust did it for you, or that somebody you trust knows somebody he trusts who knows this trusty gal, who had a relation with a bloke, who met the guy at this congress wich he now trusts. Yes, that is the idea of signing the keys by CA. It seems gpg supports this: quote gpg: WARNING: This key is not certified with a trusted signature! /quote Does it mean that the key is certified, but I miss key of certificator; then I'd like to know where to get this certificate authority key; OR does it mean this key is not certified at all? Vit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ISO md5sum signing paranoia
Hi, On Fri, Sep 30, 2005 at 10:08:19AM +0200, vitko wrote: Yes, that is the idea of signing the keys by CA. It seems gpg supports this: No, the term CA is a concept from the X.509 world and is completely alien to the web-of-trust model gpg uses. Do not mix the two models. quote gpg: WARNING: This key is not certified with a trusted signature! /quote Does it mean that the key is certified, but I miss key of certificator; then I'd like to know where to get this certificate authority key; There are no certificate authorities in the web-of-trust model. Anybody who you already trust can sign the key. OR does it mean this key is not certified at all? It means what it says: it is not signed by someone you already trust. Gabor -- - MTA SZTAKI Computer and Automation Research Institute Hungarian Academy of Sciences - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ISO md5sum signing paranoia
On Friday 30 September 2005 10:08, vitko wrote: The idea is that either YOU meet these people, or that somebody you trust did it for you, or that somebody you trust knows somebody he trusts who knows this trusty gal, who had a relation with a bloke, who met the guy at this congress wich he now trusts. Yes, that is the idea of signing the keys by CA. It seems gpg supports this: quote gpg: WARNING: This key is not certified with a trusted signature! /quote Does it mean that the key is certified, but I miss key of certificator; then I'd like to know where to get this certificate authority key; OR does it mean this key is not certified at all? no and no. The key might be certified (trusted) by somebody, however the warning above indicates gpg cannot find a web of trust in _your_ key ring leading to anything that leads to any key that _you_ declared to trust. There is no CA for this. Beside how come you trust any of these supposed CA ? Do you know them ? are they indeed trustworthy ? (sorry I'm a bit paranoid there, but you asked for it ;o) gpg 's web of trust doesn't work with the self appointed Certificate Authorities (yes, these literally appeared out of the blue!). gpg expects you to meet people and build a web of trust with them. Of course that is the theory. What I did (and this is the part I'm not supposed to tell you) is over the years declare a few keys marginaly trusted after having seen them coming again and again with emails and packages. After a relatively short time the system started to trust some other keys from new emails and new packages. Cheers, Ernest ter Kuile. Vit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ISO md5sum signing paranoia
On Thursday 29 September 2005 18:54, vitko wrote: I'm reinventing the wheel while learnig abou Debian key signing, so far I've been able to verify sarge-amd64 DVD iso images via $ gpg --verify MD5SUMS.sign MD5SUMS gpg: Signature made Mon 13 Jun 2005 10:48:17 PM CEST using DSA key ID F6A32A8E gpg: Good signature from Santiago Garcia Mantinan (manty) [EMAIL PROTECTED] gpg: aka Santiago Garcia Mantinan (manty) [EMAIL PROTECTED] gpg: aka Santiago Garcia Mantinan (manty) [EMAIL PROTECTED] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3F0A 12FC 0B55 A917 D791 82D3 72FD C205 F6A3 2A8E I'd like to know how to get rid of warning above. So far I've imported the whole Debian keyring gpg just works this way. Why would you trust these keys until you met those people yourself ? The idea is that either YOU meet these people, or that somebody you trust did it for you, or that somebody you trust knows somebody he trusts who knows this trusty gal, who had a relation with a bloke, who met the guy at this congress wich he now trusts. Thats what the web of trust is about. Of course, if you implicitly and blindly trust those keys to belong to the people they claim to belong to, you could declare them to be trusted or sing them with your own private key. You can either use gpg for that directly (see help, look for edit-key and then trust or sign) or, easier, use kgpg for a friendlier interface. but ... do you really trust those keys ? Thanks for any enlightement. hopefully it helped. Ernest. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
