| 1 |
On 1/31/19 4:40 PM, Alec Warner wrote: |
| 2 |
> |
| 3 |
> So we have a website that lists all of our developers and their gpg-fps |
| 4 |
> already. I realize that mgorny will object that this is a 'nonstandard |
| 5 |
> tool' or somesuch, but I think from my POV its a pretty straightforward |
| 6 |
> tool. Obviously it requires trusting www.gentoo.org |
| 7 |
> <http://www.gentoo.org> and our CA (of which we do not run our own, so |
| 8 |
> it is letsencrypt, IIRC.) |
| 9 |
> |
| 10 |
|
| 11 |
The problem with the PKI is that even if LetsEncrypt is trustworthy, |
| 12 |
everyone else that you trust is not. If you're in whatever theocracy is |
| 13 |
in vogue for murdering its citizens this week, then you want to be sure |
| 14 |
that your government can't forge a certificate for www.gentoo.org (which |
| 15 |
says the "f" word a lot) on-the-fly. Of course, they all can. The list |
| 16 |
of trusted CAs in modern browsers is basically a "who's who" of the |
| 17 |
least trustworthy people on Earth. |
| 18 |
|
| 19 |
With the web of trust, I am at least trusting someone who is trusting |
| 20 |
someone who is trusting someone who is trusting someone that I've met in |
| 21 |
person. It's a bit of a moot point so long as we distribute Gentoo |
| 22 |
itself over a channel that's secured by the PKI, but the two aren't |
| 23 |
equivalent. |
Archives