[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On Sat, Sep 03, 2011 at 02:36:54PM -0400, ler762@xxxxxxxxx wrote 2.2K bytes in 43 lines about:
: Is there a solution for this specific case?  Someone claiming to be
: Roger Dingledine included a PGP signature block in the msg that
: started this thread.  Nobody's responded "Hey! That wasn't me!!" or
: "That's not my PGP sig!" so it seems safe enough to trust that sig.
: Is there a secure way to get from that PGP sig to whatever's necessary
: for verifying a TOR package one just downloaded?

This is what the pgp web of trust is about. you can either meet roger,
or erinn, or me, or mikeperry, or jacob, etc and have us physically hand
you our pgp fingerprints. Or you can trust someone who has met us and
signed our keys, that you then trust. Or trust someone who has trusted
someone who has met us and trusted us. Trust is like onions, onions have
layers. Trust is not like parfaits.


pgp key: 0x74ED336B
tor-talk mailing list