[SGVLUG] Keysigning
Henry B Hotz
hbhotz at oxy.edu
Sun Dec 1 19:34:40 PST 2013
+1 to Dustin's post of 12:16
On Nov 30, 2013, at 10:51 AM, Diane Trout <diane at ghic.org> wrote:
> So when one of them signed a some Python software I had reason to believe that
> it was certified by a person I had met. (You can get to stronger levels of
> trust in a piece of software using signed commits in git).
Could someone please explain what this means? Git uses stronger crypto than PGP?
I wouldn't be inclined to trust any signature vouched for by a system (like git, WoT, or an X.509 CA) as much as I would if I had personally met the person who provided the key. As someone noted, this doesn't scale, so that's why we have the other things.
Anyone who does crypto knows it's the key management systems which are hard in the real world.
Personal email. hbhotz at oxy.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20131201/d1a42dcb/attachment.html>
More information about the SGVLUG
mailing list