Date: Wed, 30 Nov 2005 14:43:43 +0100 From: Alexander Leidinger <netchild@FreeBSD.org> To: Kurt Seifried <listuser@seifried.org> Cc: freebsd-security@FreeBSD.org Subject: Re: Reflections on Trusting Trust Message-ID: <20051130144343.od5die60gsw4k0k0@netchild.homeip.net> In-Reply-To: <000e01c5f410$2de67820$1300110a@pooptop> References: <20051126224530.GD27757@cirb503493.alcatel.com.au><4389D072.2030502@iang.org> <20051127182116.GA30426@cirb503493.alcatel.com.au> <000e01c5f410$2de67820$1300110a@pooptop>
next in thread | previous in thread | raw e-mail | index | archive | help
Kurt Seifried <listuser@seifried.org> wrote: > should have people upload their keys. On another note I am available > to sign PGP keys (proving your key/identity is an excercise left to > the reader =), or to the signer... the keys are available in the handbook (either from www.freebsd.org or in raw from http://cvsweb.freebsd.org/doc) and sending them to the @FreeBSD.org address should put them in to the hands of their owners (and if not, it doesn't matter, they just don't get your signature on their key). And AFAIK this is all PGP is supposed to verify, that the person behind "user@example.tld" is the same as the person with access to the secret key for this address. Please correct me if I'm wrong and PGP also is supposed to e.g. verify that the name is the same as on the passport or whatever way of personal identification is available where the owner of the key to sign lives). But this assumes the signer trusts the FreeBSD.org security: Access to the FreeBSD.org machines is only granted with a known ssh v2 key. Such a key is put in place by an admin, who got the key in a secure manner (either via a PGP signed mail or uploaded to such a machine via scp by an already trusted person). Without ssh access there's no way to insert a key into the CVS repository. My Alexander@Leidinger.net key is also available from https://keyserver.pgp.com (I just noticed that my @FreeBSD.org key is not available there... I should correct this). I verified (by inspecting the fingerprint) that the key which is available from there is my own one before acknowledging their verification procedure (see https://keyserver.pgp.com/vkd/VKDVerificationPGPCom.html for the drawbacks of their approach). Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 The human mind treats a new idea the way the body treats a strange protein: it rejects it. -- P. Medawar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051130144343.od5die60gsw4k0k0>