oss-sec mailing list archives
Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking]
From: Simon McVittie <smcv () debian org>
Date: Thu, 02 May 2013 19:24:04 +0100
On 02/05/13 17:42, Daniel Kahn Gillmor wrote:
most OpenPGP signatures in the current web of trust are *not* trust signatures, and trust packets aren't emitted or transferred publicly (they're private indicators used for local keyring storage).
Some PGP publications try to avoid mentioning "trust" altogether: they talk about "[user ID] validity" and "ownertrust". "User ID validity" is when you sign something with semantics similar to "I am reasonably confident that the key 4096R/4DE8FF2A63C7CC90 belongs to Simon McVittie whose address is smcv () debian org". That's what happens in keysigning. "Ownertrust" is when you configure gpg with things like "if Simon says a user ID is valid, assume that it is" (full ownertrust), or "if Simon and two others with partial ownertrust all agree that a user ID is valid, assume that it is" (partial ownertrust). Both of those are orthogonal to whether you can trust that I haven't deliberately included malicious code in a software package signed by my key, whether you can trust that I haven't accidentally included dangerously insecure code in that package, or whether I even have the authority to be saying "this is a release" on behalf of the project from which it purports to be a release. S
Current thread:
- Re: upstream source code authenticity checking, (continued)
- Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
- Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 26)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
- Re: upstream source code authenticity checking Eric H. Christensen (Apr 29)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 30)
- Re: upstream source code authenticity checking Robbie MacKay (May 01)
- Re: upstream source code authenticity checking Alistair Crooks (May 02)
- OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Daniel Kahn Gillmor (May 02)
- Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Simon McVittie (May 02)
- Re: upstream source code authenticity checking Kurt Seifried (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)
- Re: upstream source code authenticity checking Alan Coopersmith (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)
- Re: upstream source code authenticity checking Josh Bressers (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Marcus Meissner (Apr 26)
- Re: upstream source code authenticity checking nicolas vigier (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Florian Weimer (Apr 26)