Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: Love <lha@stacken.kth.se>
List: tech-userlevel
Date: 05/14/2004 18:53:50
--=-=-=


Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:

> Wouldn't a web-of-trust be a more reliable source of public key 
> information than a top-down hierarchy? I can be "more" sure that the 
> NetBSD public key is the real public key if a bunch of trusted, 
> intelligent friends also think it's the right public key.

I'm sure we can get your trusted intelligent friends to sign the
CA-certificate file with their pgp keys once they have make sure its the
right certificate.

> I'd like to avoid being snaggled one afternoon downloading some new 
> packages that are signed by a key I thought was genuine.

That why you use a attribute in the x509 certificate (called extented
keyusage) that marks the certificate as a code signing certificate approved
by the CA.

Love


--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iQEVAwUAQKT5oHW+NPVfDpmCAQJU9gf/VnkDQF4u7WaXcs2qY4c3fq5oHK6sLHAm
v34J1Wp3pNi306VWXBqYikOa7ZTtbBKuQb+xVudztIo4AmRi1sGI7hZeYx+fqcyv
f0ari0o5ryBT9A+tzmZzCOk0BL3TevQ3RNp6FeiSKpyAr7fZiqC+v13Vt7oKBIEY
lXDcQh8aXnDtDE165zOc+Cel++UQoezkKvFbQDP50xECzI8b4En7lqHdyuIueiLq
l56ifCUXzJgfQU7JqAlafD6722oYRWPiz003IFDhOZX0Mm7gt6KMRcD6v3rm2eKL
c2qCh5A22u05HqjrN4ai/DarOemi5JxSoS/0KgG49vLtIzZMAcfr6g==
=6BcP
-----END PGP SIGNATURE-----
--=-=-=--