[SGVLUG] Keysigning
Henry B Hotz
hbhotz at oxy.edu
Sun Dec 1 23:20:31 PST 2013
On Dec 1, 2013, at 9:23 PM, Diane Trout <diane at ghic.org> wrote:
> On Sunday, December 01, 2013 19:34:40 Henry B Hotz wrote:
>> +1 to Dustin's post of 12:16
>>
>> On Nov 30, 2013, at 10:51 AM, Diane Trout <diane at ghic.org> wrote:
>>> So when one of them signed a some Python software I had reason to believe
>>> that it was certified by a person I had met. (You can get to stronger
>>> levels of trust in a piece of software using signed commits in git).
>>
>> Could someone please explain what this means? Git uses stronger crypto than
>> PGP?
>
> No git has the option of using GPG keys for signing tags (git tag -s) and
> commits (git commit -S).
Ah! The man page is a bit sketchy on detail, but sounds like it's doing a real signed MAC as opposed to a simple hash of the content. Nice. Presumably it's equivalent to GPG-signed email.
> Though for people who dislike the WoT, I don't see whats wrong with using the
> WoT as long as you think of it as providing supportive evidence and not
> certainty.
There are two halves to the problem: 1) is the crypto done correctly without gaps in what it covers, and 2) does the key used actually belong to who you think it should. WoT provides a plausible way to solve the second problem, and it attempts to model the real-world uncertainties that may attach to that problem. AFAIK it's unique in *not* trying to provide an absolute solution.
> Diane
Personal email. hbhotz at oxy.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20131201/45065de3/attachment.html>
More information about the SGVLUG
mailing list