« Security Logging | Main | How ZServerSSL Works »

05 August 2004

Web Of Trust

[Software] 

CMUCL 19a, a freely available implementation of Common Lisp, has just been released. There are one source tarball and two FreeBSD-specific binary tarballs. Each tarball comes with a PGP signature. As it turns out, the tarballs have been signed by two different keys and these aren't on my keyring.

I can't remember gpg's keyserver syntax, so I hit Google with "pgp keyserver". Chose the entry "PGP Keyserver at ETH Zurich" arbitrarily. Scanned the page... Hmm, appears to be web form-only.

Scrolled down... "Links to PGP Resources" says "William H. Geiger III maintains a page with information about PGP keyservers, including information about their reachability." Hit that link and got redirected to that domain's home page - looks like the domain's original registration expired and it is now used as an advertising billboard. Doh!

Back in the ETHZ page, hit the link "International PGP Network". Okay, this time, got to http://www.ch.pgp.net/pgpnet/, which works.

Ah, so to get a key from the keyserver into a keyring, do this:

gpg --keyserver http://wwwkeys.pgp.net:11371/ --recv-keys blahblah

The two keys that I've just imported are signed by yet another key. Fetch it: This is the common-lisp.net administrative key. Looks good. It is, in turn, signed by yet another key. Get it: The key belongs to Nikodemus Siivola, who has something to do with common-lisp.net, IIRC. It, too, is signed by another key...

Web of trust, huh? I think I'll stop here. ;-)

Except, of course, right away I wonder what software is available to do this web of trust traversal thingy...


Posted by ngps at 00:48 | Comments (0) | Trackbacks (0)
Comments
There is no comment.
Trackbacks
Please send trackback to:http://sandbox.rulemaker.net/ngps/88/tbping
There is no trackback.