On Thu, Jun 28, 2007 at 10:25:05 +0100, Chris Lale wrote: > Florian Kulzer wrote:
[...] > > $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --keyring > > /usr/share/keyrings/debian-backports-keyring.gpg --check-sig 16BA136C > > pub 1024D/16BA136C 2005-08-21 > > uid Backports.org Archive Key > > sig! 7E7B8AC9 2005-11-20 Joerg Jaspert > > sig!3 16BA136C 2005-08-21 Backports.org Archive Key > > sig!3 16BA136C 2005-08-21 Backports.org Archive Key > > sub 2048g/5B82CECE 2005-08-21 > > sig! 16BA136C 2005-08-21 Backports.org Archive Key > > > [..] > > Thanks, Florian. > > I suppose that you can check that Joerg Jaspert is a Debian developer by > checking the Debian developer database [1]. > > [1] http://db.debian.org/ It cannot hurt to check in the database and compare the key fingerprint, but this does not really increase security. (There is no protection against a man-in-the-middle attack when you connect to the database with normal http.) The relevant fact, in my opinion, is that his key is on the official Debian keyring. You can tell gpg to explicitly list the keyring for a known key if you want to be sure: $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-options show-keyring --with-fingerprint --list-key "Joerg Jaspert" Keyring: /usr/share/keyrings/debian-keyring.gpg ----------------------------------------------- pub 1024D/7E7B8AC9 2002-05-11 Key fingerprint = DF7D EB2F DB28 FD2B A9FB FA6D 715E D6A0 7E7B 8AC9 [ rest of output deleted ] Another thing that increases trust is how many other Debian developers have signed his key. (This means that he had to show them some official photo ID.) This command produces a lot of output: $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 7E7B8AC9 -- Regards, | http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
