Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: Love <firstname.lastname@example.org>
Date: 05/14/2004 18:53:50
Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:
> Wouldn't a web-of-trust be a more reliable source of public key
> information than a top-down hierarchy? I can be "more" sure that the
> NetBSD public key is the real public key if a bunch of trusted,
> intelligent friends also think it's the right public key.
I'm sure we can get your trusted intelligent friends to sign the
CA-certificate file with their pgp keys once they have make sure its the
> I'd like to avoid being snaggled one afternoon downloading some new
> packages that are signed by a key I thought was genuine.
That why you use a attribute in the x509 certificate (called extented
keyusage) that marks the certificate as a code signing certificate approved
by the CA.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
-----END PGP SIGNATURE-----