Quote:
Originally Posted by IdOp
I know next to nothing about crypto, so I have a really dumb question.  |
Me too, me too.
If you think you're dumb, I'm even dumber.
Quote:
Originally Posted by jggimi
When you install the initial unverified OS, how can you trust anything it's telling you? Isn't it possible, at least in principle, that the bad guys have tampered with and corrupted it such that when you think you're running signify on it, you get bogus output that says "everything is ok" ?
|
I second that.
About two to three years ago I attended a seminar hosted by developers of some anonymity software. I think it was Tor or Tails.
Anyway one of them advised those who were unable to obtain the developers' public signing keys in person to download their software from several different FTP sites hosted in different countries, compared their digital signatures and over a period of time, if nothing to the contrary shows up, we can then trust their public keys. We know now that this logic is wrong.