Secrecy and user trust

Todd Zullinger tmz at pobox.com
Thu Sep 4 17:37:05 UTC 2008


Tim wrote:
> I'm not sure whether *also* having the keys on other sites is so bad.
> If you take it like the GPG model - countersigning and cross-checking
> through other sources that you also trust.  If Livna, ATRPMs, and a few
> other usual repos had the same Fedora public key, you'd be more
> confident that the key you got from what you think is a real Fedora
> mirror, is the right one.

There certainly isn't anything stopping others from singing the Fedora
key (as can be seen by the number of signatures already¹.  I do wonder
how many of those folks have met with the holder of the secret part of
the Fedora key for verifying the fingerprint.

Another issue with adding signatures to the key is that rpm has no
ability to check those signatures (I'm not even sure if it imports
a key with multiple signatures properly).  Now that rpm is being more
actively developed and the lack of a key revocation feature has been
felt, maybe someone will submit some patches to add such features².

¹ http://subkeys.pgp.net:11371/pks/lookup?search=0x4F2A6FD2&fingerprint=on&op=vindex
² http://wiki.rpm.org/Contribute

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So its hurry! Hurry! Step right up, it's a matter of life or death
The sun is going down and the moon is just holding its breath.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080904/d66592e3/attachment-0001.sig>


More information about the fedora-list mailing list