On 06/09/2012 11:05 AM, Peter Lebbing wrote: > your reply, I understand now you did not mean it like that. I was > already quite puzzled about my interpretation because it didn't sound > like you :).
Thank you for giving me the benefit of the doubt. :) > Funnily, we're saying the same thing. You yourself said you don't > particularly care if Werner Koch is actually called Horace > Micklethorpe or Harry Palmer or ... Then why are you interested in > the number of Werner Kochs? I'm not interested in the number of Werner Kochs. I'm interested in the difference between *the* entity and *an* entity. The entity that signs these releases happens to be Werner. But there are many entities named Werner, so how do we know we have the certificate belonging to the correct entity? It's an identification problem. Werner's only relevance to it _qua_ himself is that we acknowledge him as the definitive authenticator of the code: "yes, that is the code I wrote." If we're going to rely on a definitive authenticator, shouldn't we ensure we're actually talking to the actual authenticating entity? :) > So how did you verify your GnuPG source? If you say "I asked a close > friend", my counterquestion is: How did he/she? What I want to know > is: what bootstrapped the confidence that the key was the proper > GnuPG dist sig? My bootstrap is "I trust my Linux distribution." My distro is a trusted software provider, in the traditional security sense of a "trusted provider". If I receive software from an official Fedora repo and it is signed by the repo release team, that's good enough for me. How did I come to trust that I have the correct certificate for the repo release team? Because it came on the DVD, which is my trusted bootstrap. I fully acknowledge this is validation by fiat. Some people will think it's a perfectly reasonable way of doing things. Others will think I'm crazy. It's up to the individual to decide. :) > And I do not see this process as, to quote you, "certifiably crazy" > at all. And as I said, apparently you and I have completely different opinions on whether crowdsourcing should be trusted for these matters. And, you know, that's okay. :) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
