On 06/09/2012 11:57 AM, Peter Lebbing wrote: > Suppose you would want to build from the vanilla source downloaded from > gnupg.org and signed by "Werner Koch (dist sig)", how would you verify > authenticity of that key?
I don't understand where this question is going. I would find some trusted path, obviously. If I contact the maintainer and am told, "I download packages and check they are signed with this fingerprint ID," well, then I'm already transitively validating-by-fiat that fingerprint ID. If instead I'm told, "I've personally met the GnuPG release authority (i.e., Werner) and have signed that certificate," then the release certificate is validated because it is certified by a trusted introducer. If I'm told "beats me, Elvis comes to me in a séance and gives me all my answers," then I would have to find some other means. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
