You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.

To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.

This is the comment you were replying to, attached to the weblog Debian ca-certificates question

#2 Re: Debian ca-certificates question Posted by simonw (84.45.xx.xx) on Mon 5 Mar 2007 at 20:01 In theory "apt" should have checked that the package was digitally signed, so it should have a digital key trail back to the DD who uploaded it. He might have found them on the back of a cereal packet, but if you don't trust DD's you have bigger issues if you run Debian. "Note that certificate authorities whose certificates are included in this package are not in any way audited for trustworthiness and RFC 3647 compliance, and that full responsibility to assess them rests with the user." Basically if someone gets paid money to say you are who you claim to be, the whole scheme is flawed from the start. Now who do I have to pay to get my GPG key signed? My experience at looking at the innards of certificate authority behavior, protocols and support is that "at least my credit card number is encrypted" as it goes to "who ever" ;)

Username:	Anonymous
Title:
Your Comment:
Posting Format:	BBCode HTML Text Plain Text Textile

Inappropriate comments will be removed.

Username:

Password:

[ Advanced Login ]

Register Account