Re: officially signed packages

[Marc Espie <espie%nerim.net@localhost>]

On Mon, Apr 07, 2014 at 05:50:53PM +0200, Alistair Crooks wrote:
> Personally, I would never trust a CA-signed cert for this use case,
> and most use cases of certs in real life won't trust self-signed
> certs.  The reasons are that CAs pure existence is as a trusted third
> party, and yet their business model calls for them to cover up any
> breach or leak.  Look how quickly Diginotar went out of business.
> This is before we look at how easy it is to con CAs into signing certs
> on behalf of domains for which proof of ownership is lacking, and the
> kinds of openssl fun we're about to see coming up over the next few months

Very nice summary of the current situation...

That's the one reason why we went for pure keys in OpenBSD, without any
kind of CA.

Commercial entities whose job it is supposed to be haven't figured out how
to manage trust correctly: in a cost-effective fashion and in a transparent
enough fashion.   I'm not THAT sure it's possible to do much better in
the open source world without major mishaps every few months.



Do you really need chains of trust ?  they're actually a complex mathematical 
object that defies intuition (real-world analogies carry you only so far), 
most people don't really understand what's going on, and they tend to fail 
sooner or later.