On 03/09/11 19:36, Lee wrote: > Is there a solution for this specific case? Someone claiming to be > Roger Dingledine included a PGP signature block in the msg that > started this thread. Nobody's responded "Hey! That wasn't me!!" or > "That's not my PGP sig!" so it seems safe enough to trust that sig. > > Is there a secure way to get from that PGP sig to whatever's necessary > for verifying a TOR package one just downloaded? In this specific case, if a download is signed by Erinn Clark, you can establish a chain of trust from Roger to Erinn e.g. Roger 63FEE659 -> Matt 5FA14861 -> Andrew 31B0974B -> Erinn 63FEE659 Note that I constructed this chain by hand as a (hopefully correct) example; there will typically be more than one chain possible. It is the job of software to find one for you based on whom you already trust. If the package had been signed by someone like me, a recluse whom nobody trusts, you'd be out of luck. But if I'm claiming to be releasing software on behalf of a team, that should ring alarm bells for you. Does that answer your question? Julian
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk