[SGVLUG] Keysigning

Henry B Hotz hbhotz at oxy.edu
Sun Dec 1 23:20:31 PST 2013


On Dec 1, 2013, at 9:23 PM, Diane Trout <diane at ghic.org> wrote:

> On Sunday, December 01, 2013 19:34:40 Henry B Hotz wrote:
>> +1 to Dustin's post of 12:16
>> 
>> On Nov 30, 2013, at 10:51 AM, Diane Trout <diane at ghic.org> wrote:
>>> So when one of them signed a some Python software I had reason to believe
>>> that it was certified by a person I had met. (You can get to stronger
>>> levels of trust in a piece of software using signed commits in git).
>> 
>> Could someone please explain what this means? Git uses stronger crypto than
>> PGP?
> 
> No git has the option of using GPG keys for signing tags (git tag -s) and 
> commits (git commit -S).

Ah! The man page is a bit sketchy on detail, but sounds like it's doing a real signed MAC as opposed to a simple hash of the content. Nice. Presumably it's equivalent to GPG-signed email.

> Though for people who dislike the WoT, I don't see whats wrong with using the 
> WoT as long as you think of it as providing supportive evidence and not 
> certainty.

There are two halves to the problem:  1) is the crypto done correctly without gaps in what it covers, and 2) does the key used actually belong to who you think it should. WoT provides a plausible way to solve the second problem, and it attempts to model the real-world uncertainties that may attach to that problem. AFAIK it's unique in *not* trying to provide an absolute solution.

> Diane

Personal email.  hbhotz at oxy.edu



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20131201/45065de3/attachment.html>


More information about the SGVLUG mailing list