[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: Re: [qubes-devel] Re: GitLab
From: Peter Todd <pete () petertodd ! org>
Date: 2017-05-13 23:21:21
Message-ID: 20170513232121.GA12406 () fedora-23-dvm
[Download RAW message or body]
On Sat, May 13, 2017 at 03:18:39PM -0500, Andrew David Wong wrote:
> There are many other methods you could use to attempt to verify the
> master key fingerprint aside from relying on the Qubes website. Here's
> a brief, non-exhaustive list:
>
> * Use different search engines to search for the fingerprint.
> * Use Tor to view and search for the fingerprint on various websites.
> * Use various VPNs and proxy servers.
> * Use different Wi-Fi networks (work, school, internet cafe, etc.).
> * Ask people to post the fingerprint in various forums and chat rooms.
> * Check against PDFs and photographs in which the fingerprint appears
> (e.g., slides from a talk or on a T-shirt).
> * Repeat all of the above from different computers and devices.
Don't forget the PGP web-of-trust.
For me personally this is a very short trust path with multiple connections.
For example:
1) my PGP key is 0x7FAB114267E4FA04
2) I've signed Nicolas Vigier (boklm)'s key, IIRC after a keysigning a few
years back at a Tor conference.
3) Nicolas Vigier has signed the Qubes Master Signing Key.
Which you can see here: \
https://pgp.cs.uu.nl/paths/7fab114267e4fa04/to/2067001b1b678a63.html
A few more paths:
Me to Ola Bini: \
https://pgp.cs.uu.nl/mk_path.cgi?FROM=7FAB114267E4FA04&TO=295c746984af7f0c&PATHS=trust+paths
Me to Holger Levsen: \
https://pgp.cs.uu.nl/mk_path.cgi?FROM=7FAB114267E4FA04&TO=091AB856069AAA1C&PATHS=trust+paths
Unfortunately the tools to actually find these paths all kinda suck, but they
do at least the paths exist. The one I used to find the above is
https://pgp.cs.uu.nl/, however it has the significant limitation that it only
works for keys in the "strong set" - the Qubes signing key is *not* in that set
because it has never signed another key that is in that set.
IMO the Qubes project should fix this.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20170513232121.GA12406%40fedora-23-dvm. \
For more options, visit https://groups.google.com/d/optout.
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic