1 |
On 1/31/19 4:40 PM, Alec Warner wrote: |
2 |
> |
3 |
> So we have a website that lists all of our developers and their gpg-fps |
4 |
> already. I realize that mgorny will object that this is a 'nonstandard |
5 |
> tool' or somesuch, but I think from my POV its a pretty straightforward |
6 |
> tool. Obviously it requires trusting www.gentoo.org |
7 |
> <http://www.gentoo.org> and our CA (of which we do not run our own, so |
8 |
> it is letsencrypt, IIRC.) |
9 |
> |
10 |
|
11 |
The problem with the PKI is that even if LetsEncrypt is trustworthy, |
12 |
everyone else that you trust is not. If you're in whatever theocracy is |
13 |
in vogue for murdering its citizens this week, then you want to be sure |
14 |
that your government can't forge a certificate for www.gentoo.org (which |
15 |
says the "f" word a lot) on-the-fly. Of course, they all can. The list |
16 |
of trusted CAs in modern browsers is basically a "who's who" of the |
17 |
least trustworthy people on Earth. |
18 |
|
19 |
With the web of trust, I am at least trusting someone who is trusting |
20 |
someone who is trusting someone who is trusting someone that I've met in |
21 |
person. It's a bit of a moot point so long as we distribute Gentoo |
22 |
itself over a channel that's secured by the PKI, but the two aren't |
23 |
equivalent. |