[Catalog-sig] How to verify cheeseshop signatures?
exarkun at divmod.com
Sun Oct 23 18:28:31 CEST 2005
On Sun, 23 Oct 2005 12:02:17 -0400, "Phillip J. Eby" <pje at telecommunity.com> wrote:
>>Jp Calderone wrote:
>> > The required key is indicated in the message. You just need to retrieve
>> > gpg --import 41C6E930
>> > Re-running --verify should now work.
>It doesn't. I get "gpg: can't open `41C6E930': No such file or directory".
You may not have gnupg configured with any key servers. I am currently using hkp://subkeys.pgp.net, if that's any help.
>At 01:54 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>>Partially, yes: it will verify that the signature was made by the public
>>key with that key ID. That doesn't mean you know for sure that the
>>person you assume to be behind the key really is the "owner" of the key.
>>For that, you would actually have to validate the public key, e.g. by
>>looking at the signatures on the public key, and checking whether you
>>recognize them, and whether you believe they would only sign keys for
>>people they have verified in person.
>>This is nothing cheeseshop could help with: the web of trust really is
>>between people, not between technology.
>So, from a practical perspective, the current signature implementation is of
>no use whatsoever to the vast majority of cheeseshop users.
Well... It's PGP :) It's as useful or useless to cheeseshop users as it is to anyone else. For anyone with a large web of trust, the likelihood of there being a trust relationship with the package signer is greater. For people with a small web of trust (or no web of trust at all), it's smaller.
Perhaps this means it is practically useless (FWIW I think I agree, I doubt I have a trust relationship with a single package owner)
>It seems like it would make more sense to use a format that includes a
>certificate signature chain (as with Ruby Gems). Having to manually track
>the keys of individual authors sort of goes against the whole point.
Using a chain-based system helps spread trust relationships faster. It also means someone has to manage a certificate authority (set up the certificates in the first place, manage the security of the CA cert, accept and somehow process signature requests). The attacks it is vulnerable to are also more severe in their consequences: if you compromise my PGP private key, you can pretend to be me to anyone in the world; if you compromise a certificate authority certificate, you can pretend to be anyone in the world to anyone in the world. PGP keys are also more easily revokable.
Not advocating either position, just explicitly spelling out some of the differences.
More information about the Catalog-sig