* Manoj Srivastava (srivasta@debian.org) wrote: > Explanation? What we have here is an act of bad faith, in the > guise of demonstrating a weakness. In my experience, one act of bad > faith often leads to others. pffft. This is taking it to an extreme. He wasn't trying to fake who he was, it just wasn't an ID issued by a generally recognized government (or perhaps not a government at all, but whatever). This is not unlike, say, the ID of a private university (or possibly a public university since the university itself isn't really a government institution but rather receives gov't funding, heh, I think). And, as he points out, it's not like all gov'ts are all that trustworthy or do much in the way of checking before issueing an ID. It's unfortunate but it's not something we're likely going to be able to fix (the gov't part of it anyway). One thing to consider might be having a select set of people who are already highly trusted and are knowledgeable about the appropriate way to handle key generation, key signing, distribution, etc, create essentially a Debian Certificate Authority. Now, this doesn't *have* to be done using X.509 certs and openssl, it could be done inside the framework of the gpg system and would just mean that there's a specific set of people who are "uploader-key-signers" or some such. These people would also have the additional task of educating newcomers on the importance of careful key management, etc. Obvious initial candidates for this might include: ftpmasters, DAMs, AMs, debian-keyring maintainer. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature