[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
andrew at torproject.org
andrew at torproject.org
Sun Sep 4 04:37:55 UTC 2011
On Sat, Sep 03, 2011 at 02:36:54PM -0400, ler762 at gmail.com wrote 2.2K bytes in 43 lines about:
: Is there a solution for this specific case? Someone claiming to be
: Roger Dingledine included a PGP signature block in the msg that
: started this thread. Nobody's responded "Hey! That wasn't me!!" or
: "That's not my PGP sig!" so it seems safe enough to trust that sig.
: Is there a secure way to get from that PGP sig to whatever's necessary
: for verifying a TOR package one just downloaded?
This is what the pgp web of trust is about. you can either meet roger,
or erinn, or me, or mikeperry, or jacob, etc and have us physically hand
you our pgp fingerprints. Or you can trust someone who has met us and
signed our keys, that you then trust. Or trust someone who has trusted
someone who has met us and trusted us. Trust is like onions, onions have
layers. Trust is not like parfaits.
https://secure.wikimedia.org/wikipedia/en/wiki/Web_of_trust
--
Andrew
pgp key: 0x74ED336B
More information about the tor-talk
mailing list