[tahoe-dev] SSL samurai attack migration ninjas, film at 11

James A. Donald jamesd at echeque.com
Sat Oct 29 06:21:06 UTC 2011


On 2011-10-29 3:46 PM, Olaf TNSB wrote:
> Shawn,
>
> I'm not sure that I could be as relaxed about self signed certs as you. It
> feels a lot like when I download code with a gpg/pgp signature where the
> signing key hasn't been signed by anyone...

Do you feel much worse about code with gpg signature that whose key is 
not connected to any web of trust, than code that is unsigned?

Actually an unsigned code signing key is just as good as one connected 
to the web of trust, since the main thing that is useful to know is that 
version 1.7 is issued by the same people as version 1.6.



More information about the tahoe-dev mailing list