Re: CVE for Kali Linux

[Kristian Fiskerstrand <kristian.fiskerstrand () sumptuouscapital com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/22/2015 06:55 PM, Kurt Seifried wrote:
>

...

> The problem is to do this you need some key/shared
> secret/verifiable secret, e.g. a GPG key. How do I get the GPG key
> securely?

The same way as for bootstrapping key validity using OpenPGP , in the
absence of a direct verification path a probabilistic trust model can
be used, mainly. The package being signing using the same key over
time signifies that it is coming from authoritative source (unless
you've been MITMed a long time), the fingerprint of the OpenPGP key
should be included in email announcements and other documents that are
being mirrored by multiple sources, reducing the likelihood of a MITM
if corresponding information is the same in multiple archives over a
long time. Its always better to have a direct validation path to the
key in question, but all is not in vein without it.


- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Aquila non capit muscas
The eagle does not hunt flies
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJVDxWhAAoJEP7VAChXwav6dBMIAIi/1dMykJO58oL0yFUZmU95
x+zhzrmPepuOJcJb1WEPzU3LZvf+fQYS+c4YivG95MA7u4ljWcW55BJYZd5+AIMM
6emwg1mFuqenEMby8zFCDYyLardM4GODifhPXDE9LF6YoJ26m1twPWWMXcioWioO
vNMrQoaTNdpR4jkNX8FGUm5/hDS8iM+BDiT5qjQ3INz3/x0pnVg2pjxjNBuV6CkZ
PTGVrwVXT9uxrgw4XkF+59/IS/weWrNUSnFoNRuTBseNXor5jjrSRY1W010yLVX3
+leeB6wTVmfTuBxbl5T9pCtd6Xv4fq8fL5KILppsUyLa1STDXlnPz3o/x+ukPxc=
=AT4h
-----END PGP SIGNATURE-----