[Psi-devel] OT: CACert included in Kubuntu?
Trejkaz
trejkaz at trypticon.org
Thu Nov 30 13:11:42 PST 2006
On Friday 01 December 2006 04:56, Justin Karneges wrote:
> Actually, this practice of secure retrieval should apply to *any* software
> package you obtain from *anywhere*, not just your operating system. This
> is why I'd like to get HTTPS and Code Signing for Psi downloads, so users
> can ensure they are getting an untainted package.
A fair collection of distros already secure things like this. I think Debian
were the first but I could be wrong. Gentoo recently added the feature too.
Both use GPG, though.
(Which is good, because with GPG there is a reasonable chance that my key will
indirectly trust the key used to sign the package -- if it were signed with
Verisign's key, this becomes a whelk's chance in a supernova.)
It would be nice if there were proof of trust of the root CAs' keys.
For instance, if my bank actually signed their key, I might believe that they
trust it. At the current point in time I have to assume that they're in the
same situation as myself -- skeptical but with little choice but to trust it.
TX
--
Email: trejkaz at trypticon.org
Jabber ID: trejkaz at trypticon.org
Web site: http://trypticon.org/
GPG Fingerprint: 9EEB 97D7 8F7B 7977 F39F A62C B8C7 BC8B 037E EA73
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.affinix.com/pipermail/psi-devel-affinix.com/attachments/20061201/f47fbc80/attachment.pgp
More information about the psi-devel
mailing list