Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 Apr 2011 04:27:12 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Web of trust

On Mon, Apr 04, 2011 at 11:00:42PM +0200, Yves-Alexis Perez wrote:
> ... considering the use of GPG, would it make sense to have at
> least some kind of ???web of trust??? thing on the involved keys?

Yes.  I've been checking signatures on keys, although I did "have to"
accept a few keys that were not verifiable in this way.  I relied on
other means of verification in those cases.

> That plus
> subscribing the project address when possible could help maintaining
> some confidence about where the mail really ends (though that doesn't
> mean it can't be leaked later).

Yes.  With personal addresses, I have to verify that they're
acknowledged as addresses of the person involved with the project.

There's definitely room for improvement here.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.