'Re: [qubes-devel] Re: GitLab'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] Re: GitLab
From:       Peter Todd <pete () petertodd ! org>
Date:       2017-05-13 23:21:21
Message-ID: 20170513232121.GA12406 () fedora-23-dvm
[Download RAW message or body]


On Sat, May 13, 2017 at 03:18:39PM -0500, Andrew David Wong wrote:
> There are many other methods you could use to attempt to verify the
> master key fingerprint aside from relying on the Qubes website. Here's
> a brief, non-exhaustive list:
> 
> * Use different search engines to search for the fingerprint.
> * Use Tor to view and search for the fingerprint on various websites.
> * Use various VPNs and proxy servers.
> * Use different Wi-Fi networks (work, school, internet cafe, etc.).
> * Ask people to post the fingerprint in various forums and chat rooms.
> * Check against PDFs and photographs in which the fingerprint appears
> (e.g., slides from a talk or on a T-shirt).
> * Repeat all of the above from different computers and devices.

Don't forget the PGP web-of-trust.

For me personally this is a very short trust path with multiple connections.
For example:

1) my PGP key is 0x7FAB114267E4FA04
2) I've signed Nicolas Vigier (boklm)'s key, IIRC after a keysigning a few
   years back at a Tor conference.
3) Nicolas Vigier has signed the Qubes Master Signing Key.

Which you can see here: \
https://pgp.cs.uu.nl/paths/7fab114267e4fa04/to/2067001b1b678a63.html

A few more paths:

Me to Ola Bini:      \
https://pgp.cs.uu.nl/mk_path.cgi?FROM=7FAB114267E4FA04&TO=295c746984af7f0c&PATHS=trust+paths
 Me to Holger Levsen: \
https://pgp.cs.uu.nl/mk_path.cgi?FROM=7FAB114267E4FA04&TO=091AB856069AAA1C&PATHS=trust+paths


Unfortunately the tools to actually find these paths all kinda suck, but they
do at least the paths exist. The one I used to find the above is
https://pgp.cs.uu.nl/, however it has the significant limitation that it only
works for keys in the "strong set" - the Qubes signing key is *not* in that set
because it has never signed another key that is in that set.

IMO the Qubes project should fix this.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20170513232121.GA12406%40fedora-23-dvm. \
For more options, visit https://groups.google.com/d/optout.


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic