[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Public Key Chaos

To: tor-dev@xxxxxxxxxxxxxxxxxxxx, a3at.mail@xxxxxxxxx, niels@xxxxxxxxxx
Subject: [tor-dev] Public Key Chaos
From: thomas.hluchnik@xxxxxxxxxxxxx
Date: Wed, 10 Jan 2018 11:10:52 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 10 Jan 2018 05:11:31 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netcologne.de; s=nc1116a; t=1515579063; bh=Ycp8t+ogUp4F4uhU+WE6ETZn0cpT3o9o0BpJKm4emt8=; h=From:To:Subject:Date:Message-Id:From; b=ePYDiFEeRJMj6w+0I42I8llkodoQm64ImNh0i6oPO3Y4aWiGh2PhGlfHCV67+S9nv 3+q5XLAIqFgOx3Re0+zvi5+a62qMibsE4vJyoteXiMvLc9EXGTGyjEL57zS+RBP0z8 I+lf84Fmgn7ybqmOG+nGwTbvQn9sjPevKhRZrFM+Lu9B/dupTxqmgIGb5QJR6Mvj2M JDZVFlVuGep+rgFOlOBM0h8Zw3NFi9JVJ1hk9Y70A9Wh6Qg3JbZggVtsPTEalrdD3w yP32vepCWAn8PhE3xAdEmXgU8E5ejSVkebQ0F6sFhBTVUCbJ4i+2h05Y7tAp79gzpN 8Bb/V6JYQPFTQ==
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: KMail/1.9.10

Hello all,

I am just going to update my tor server, building packages from source. I do that not only for tor but also for libevent. So I downloaded the tarballs plus signature from libevent.org and that's what I found:

$ gpg --verify libevent-2.0.22-stable.tar.gz.asc
gpg: Signature made Mon Jan  5 16:16:20 2015 CET using RSA key ID 8D29319A
gpg: Good signature from "Nick Mathewson <nickm@xxxxxxxxxxxx>"
gpg:                 aka "Nick Mathewson <nickm@xxxxxxxxxxx>"
gpg:                 aka "Nick Mathewson <nickm@xxxxxxxxxxxxx>"
gpg:                 aka "[jpeg image of size 3369]"


$ gpg --verify libevent-2.1.8-stable.tar.gz.asc
gpg: Signature made Sun Jan 29 19:42:03 2017 CET using RSA key ID 8EF8686D
gpg: Good signature from "Azat Khuzhin <a3at.mail@xxxxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9E3A C83A 2797 4B84 D1B3  401D B860 8684 8EF8 686D


$ gpg --list-sigs "Azat Khuzhin"
pub   2048R/8EF8686D 2010-06-10
uid                  Azat Khuzhin <a3at.mail@xxxxxxxxx>
sig 3        8EF8686D 2010-06-10  Azat Khuzhin <a3at.mail@xxxxxxxxx>
sub   2048R/7A34F923 2010-06-10
sig          8EF8686D 2010-06-10  Azat Khuzhin <a3at.mail@xxxxxxxxx>


While nickm@xxxxxxxxxxxx was signed by many, many people, I find no signature for "Azat Khuzhin <a3at.mail@xxxxxxxxx>" at all. How can I trust that key? How can I be sure that libevent 2.1.8 is a good package? Why has Azat Khuzhin public key no signature from Nick Mathewson or anyone else? I don't trust that package for now until I find it signed with the keys of at least Nick Mathewson and Niels Provos.

Correct me if I a wrong.

Best Regards, Thomas
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] Block Global Active Adversary Cloudflare
Next by Author: Re: [tor-dev] Proposal: Expose raw bwauth votes
Previous by thread: Re: [tor-dev] Tor dev help
Next by thread: [tor-dev] Why do DirAuths take that long to update a relay's version information?
Index(es):
- Author
- Thread