[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On 03/09/11 19:36, Lee wrote:
> Is there a solution for this specific case?  Someone claiming to be
> Roger Dingledine included a PGP signature block in the msg that
> started this thread.  Nobody's responded "Hey! That wasn't me!!" or
> "That's not my PGP sig!" so it seems safe enough to trust that sig.
> Is there a secure way to get from that PGP sig to whatever's necessary
> for verifying a TOR package one just downloaded?

In this specific case, if a download is signed by Erinn Clark, you can
establish a chain of trust from Roger to Erinn e.g.

Roger 63FEE659 -> Matt 5FA14861 -> Andrew 31B0974B -> Erinn 63FEE659

Note that I constructed this chain by hand as a (hopefully correct)
example; there will typically be more than one chain possible. It is the
job of software to find one for you based on whom you already trust.

If the package had been signed by someone like me, a recluse whom nobody
trusts, you'd be out of luck. But if I'm claiming to be releasing
software on behalf of a team, that should ring alarm bells for you.

Does that answer your question?


Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list