Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@netbsd.org>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-security
Date: 05/19/2004 19:12:09
--ylS2wUBXLOxYXZFQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 14, 2004 at 09:40:13AM -0700, Marc Tooley wrote:
>=20
> Wouldn't a web-of-trust be a more reliable source of public key=20
> information than a top-down hierarchy? I can be "more" sure that the=20
> NetBSD public key is the real public key if a bunch of trusted,=20
> intelligent friends also think it's the right public key.
>=20
> I'd like to avoid being snaggled one afternoon downloading some new=20
> packages that are signed by a key I thought was genuine.
>=20
> Or am I missing something?

Yes. You missed something.

You confused trusting the NetBSD public key (really should be the TNF one,=
=20
but close enough) with trusting that you have the real NetBSD public key.=
=20
There really are two different issues in there. The first is a question of=
=20
[basic, fundamental] trust, the second is a question of distribution.

They of course have the practical entanglement that if you don't trust=20
your distribution method, you can't really do anything.

As for seeding the NetBSD public key, we could use the pgp web-of-trust as=
=20
a distribution method. We could also get a Verisign root key, which would=
=20
make use of the existing Verisign trust network. Though I don't think we=20
really want to pay what Verisign will want for such a key.

For the case you describe, once you had the NetBSD public key, you=20
shouldn't be able to be fooled by a download.

Take care,

Bill

--ylS2wUBXLOxYXZFQ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFArBP5Wz+3JHUci9cRApB8AJ97zXR+IRN40iPwpGi9FoxRrezS+QCgkFin
FJf5B2/ZsR+kYG/4jAG3aaQ=
=l+g6
-----END PGP SIGNATURE-----

--ylS2wUBXLOxYXZFQ--