Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 02 May 2013 11:10:31 -0700
From: Russ Allbery <>
Subject: Re: upstream source code authenticity checking

Alistair Crooks <> writes:

> And if you seriously think someone who searches for my public key on a
> webserver, or through mail, or business card, etc, downloads my public
> key from one of the servers, imports it into their own pubring, signs it
> with their own private key, then mails it to me, or uploads it to one of
> the key servers, all without trusting me in any way, then I'll show you
> a pretty awful stalker (and fairly inefficient one, due to the need to
> sign my pubkey), a fan boy (which is hardly likely to happen in my
> case), or someone who is rather sad. (I'm discounting impaired judgement
> due to the baroque processes involved here, sorry xkcd).

I routinely do this.  It's called a key-signing party.  The only trust
that I am expressing with that signature is that I have seen and verified,
to the best of my ability, some form of reliable identification for that
person (ideally a passport I can verify, or a social environment in which
it would be very difficult to impersonate someone you are not) in
combination with a proof that the key I signed belongs to the person whose
identification I checked.

Just because someone attended a key-signing party doesn't mean that I
would, say, trust them to install software on my system.

Russ Allbery (             <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.