Re: PGP Key Signing HOWTO: preparation for Linux Expo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Manoj" == Manoj Srivastava <srivasta@debian.org> writes:
Manoj> Hi,
>>> "Joseph" == Joseph Carter <knghtbrd@debian.org> writes:
Joseph> It does matter. You have to be certain. A person I know
Joseph> well enough that I would recognize their voice, have seen
Joseph> their ID, and calling me to verify keyid, size, and
Joseph> fingerprint is good enough for me (because I have good memory
Joseph> for what people who are ... um, unique and stand out in my
Joseph> mind (krooger for his trademark silly hat among other things)
Joseph> is enough for me if I can be certain it's them, but
Joseph> otherwise, I need to have met them and be sure.
Manoj> Heh. Won't do at all, unless you ask them trick questions that
Manoj> only they klnow the answers to. (Voices can be forged well enough to
Manoj> fool human ears over a phone line)
So I take it the Debian maintainer PGP verification process (with
sending in a signed copy of some valid ID, and then being called on
the phone) is not secure enough for you.
It certainly isn't for me... I wouldn't accept anything *but* another
maintainer's signature.
Manoj> I generally ask for two forms of ID, but even that is not
Manoj> perfect (nothing is).
Wow, you must be *really* paranoid... ;-)
Bye, J
- --
Jürgen A. Erhard eMail: jae@ilk.de phone: (GERMANY) 0721 27326
MARS: http://members.tripod.com/~Juergen_Erhard/mars_index.html
"Ever wonder why the SAME PEOPLE
make up ALL the conspiracy theories?" -- Michael K. Johnson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.5b (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjcqXAAACgkQN0B+CS56qs1+MACfaagziNB/SgfEYibQuxpIlIwT
UykAoJbQtCJ0fS3ZgU3KA9c8rUDAjCIE
=oNq/
-----END PGP SIGNATURE-----
Reply to: