On Lu, 02 iul 12, 17:21:39, anots...@fastmail.fm wrote:
>
> Posting gpg signing keys works for many other websites. How it works and
> how I suggest...
> - Go to https://some-project-website.com.
> - Some root CA vouches for the identity of some-project-website.com.
> - The author posts his gpg pu
Rob writes:
> Basically you can use the debian-keyring package to obtain keys of
> many Debian developers. You can have a high level of trust that those
> keys are real because the package is signed and apt-get would notify
> you if the signature was not real. The iso you are downloading should
>
On Mon, Jul 02, 2012 at 11:34:15AM -0700, anots...@fastmail.fm wrote:
> Is there any TLS encrypted source for downloading the Debian iso signing
> keys?
>
> Of course, from a source verified by a common root certificate. Not from
> the Debian CA, because there is no way to get this one from a trus
On Mon, 02 Jul 2012 11:34:15 -0700, anotst01 wrote:
> Is there any TLS encrypted source for downloading the Debian iso signing
> keys?
(...)
There's apt-secure:
http://wiki.debian.org/SecureApt
But beyond that, I'm not aware of any TLS/SSL implementation.
What kind of benefit do you foresee
Roger Leigh:
> On Mon, Jul 02, 2012 at 10:49:14PM +0200, Jochen Spieker wrote:
>> What I find more interesting is that the key 0x6294BE9B ("Debian CD
>> signing key") only has nine signatures and only one from someone using
>> his "official" @debian org address (0x3442684E, Steve McIntyre). That
>>
On Mon, Jul 02, 2012 at 02:08:08PM -0700, anots...@fastmail.fm wrote:
> I still do believe a TLS encrypted source to obtain the iso signing keys
> is necessary.
TLS encryption means that
- what travels over the connection is encrypted, and in theory only
decryptable at the two endpoints
- the id
On Mon, Jul 02, 2012 at 10:49:14PM +0200, Jochen Spieker wrote:
> What I find more interesting is that the key 0x6294BE9B ("Debian CD
> signing key") only has nine signatures and only one from someone using
> his "official" @debian org address (0x3442684E, Steve McIntyre). That
> could surely be im
I still do believe a TLS encrypted source to obtain the iso signing keys
is necessary.
What about the people who live many miles away from the next developer?
Someone living on an isle should take the next flight just to get the
gpg keys?
What about the people who are unable to meet with the next
anots...@fastmail.fm:
>
> Is there any TLS encrypted source for downloading the Debian iso signing
> keys?
None that I know of, but I don't see a need for that either. Sure, you
could use one of the built-in certificates in your browser to bootstrap
the chain of trust to the signing keys. But that
On Mon, Jul 02, 2012 at 11:34:15AM -0700, anots...@fastmail.fm wrote:
> Is there any TLS encrypted source for downloading the Debian iso signing
> keys?
>
> Of course, from a source verified by a common root certificate. Not from
> the Debian CA, because there is no way to get this one from a trus
Is there any TLS encrypted source for downloading the Debian iso signing
keys?
Of course, from a source verified by a common root certificate. Not from
the Debian CA, because there is no way to get this one from a trusted
source either, or is there?
If the answer is no, which were to correct comp
11 matches
Mail list logo