Re: PGP signing releases

From: Greg Copeland <greg(at)CopelandConsulting(dot)Net>
To: Curt Sampson <cjs(at)cynic(dot)net>
Cc: Kurt Roeckx <Q(at)ping(dot)be>, "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>, Neil Conway <neilc(at)samurai(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: PGP signing releases
Date: 2003-02-04 04:59:28
Message-ID: 1044334768.2790.82.camel@mouse.copelandconsulting.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, 2003-02-03 at 22:35, Curt Sampson wrote:
> On Mon, 3 Feb 2003, Kurt Roeckx wrote:
>
> > I'm not saying md5 is as secure as pgp, not at all, but you can't
> > trust those pgp keys to be the real one either.
>
> Sure you can. Just verify that they've been signed by someone you trust.
>
> For example, next time I happen to run into Bruce Momjian, I hope he'll
> have his PGP key fingerprint with him. I can a) verify that he's the
> same guy I who, under the name "Bruce Momjian," was giving the seminar I
> went to last weekend, and b) check his passport ID to see that the U.S.
> government believes that someone who looks him is indeed "Bruce Momjian"
> and a U.S. citizen. That, for me, is enough to trust that he is who he
> says he is when he gives me the fingerprint.
>
> I take that fingerprint back to my computer and verify that the key I
> downloaded from the MIT keyserver has the same fingerprint. Then I sign
> that key with my own signature, assigning it an appropriate level of trust.
>
> Next time I download a postgres release, I then grab a copy of the
> postgres release-signing public key, and verify that its private key was
> used to sign the postgres release, and that it is signed by Bruce's key.
>
> Now I have a direct chain of trust that I can evaluate:
>
> 1. Do I believe that the person I met was indeed Bruce Momjian?
>
> 2. Do I trust him to take care of his own key and be careful signing
> other keys?
>
> 3. Do I trust his opinion that the postgres release-signing key that
> he signed is indeed valid?
>
> 4. Do I trust the holder of the postgres release-signing key to have
> taken care of the key and have been careful about signing releases
> with it?
>
> Even if you extend this chain by a couple of people, that's trust in a
> lot fewer people than you're going to need if you want to trust an MD5
> signature.
>
> cjs

And that's the beginning of the web of trust. ;) Worth noting that
snail-mail and phone calls can easily play a role in this process as
well. I think if USPO can play a role in delivering master keys for pin
pads used by banks across America and the around the world, surely it's
good enough to help propagate key information for signing packages.

Regards,

--
Greg Copeland <greg(at)copelandconsulting(dot)net>
Copeland Computer Consulting

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Ronald Chmara 2003-02-04 05:00:24 Re: Interactive Documentation - how do you want it towork?
Previous Message Greg Copeland 2003-02-04 04:55:12 Re: PGP signing releases