Digital signatures

Todd Zullinger tmz at pobox.com
Fri Jul 13 05:12:13 UTC 2007 

Tim wrote:
> Yeah, I know.  It makes it hard for a second person to say that
> they're John Doe, but it's still dead easy for one person to say
> they are, in the first place.
> 
> If another person decide they're going to claim their John Doe, make
> a GPG/PGP key for their John Doe persona, their signed e-mails will
> show up as being valid.  They are, they person who made *their* key
> also made their message.  It's a different key than the other John
> Doe, of course, but your mail &/or GPG/PGP client doesn't do that
> sort of check.

If you've got a gpg plugin for your mail that doesn't do this sort of
check and provide a way to alert the user to the fact that the keys
don't match, then that plugin is crap.

It's also possible that many users don't understand how to work with
the pgp system and thus they ignore important pieces of information.
There is some amount of work that needs to be done by each user in
order to avoid various pitfalls.

I can assure you that if you signed your messages and I cared about
verifying them, that I would notice very easily if someone else sent
me signed message using the same name and address on a different key.
:)

> I haven't looked to closely at the packages, I'd hope however the
> repos are managed do that.

As I understand it, currently the signing of packages for updates is
done manually by the admins.  There is work afoot to create a signing
server[1] which will be able to help automate this process.
Obviously, keeping such a system secure is very important.

> But have a look at the update notices.  Those are signed by the
> person maintaining that package, I've only seen self-signed
> messages.  None with a countersign to their signature.

Where are those at?  I don't subscribe to the package announcement
list and looking at the archives I didn't see any signtures, so either
I'm not looking at what you're talking about or the list software is
filtering the sigs.

I don't think that individual maintainers sign the announcement
messages, at least I never saw that in any of the maintainer docs I've
seen on pushing updates.  I'm genuinely curious to know what notices
you're referring to.

[1] http://fedoraproject.org/wiki/JesseKeating/SigningServerSpecDraft

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If Stupidity got us into this mess, then why can't it get us out?
    -- Will Rogers (1879-1935)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20070713/0d9c96a6/attachment-0002.bin

More information about the users mailing list