[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PGP Key Signing HOWTO: preparation for Linux Expo

Hash: SHA1

>>>>> "Manoj" == Manoj Srivastava <srivasta@debian.org> writes:

    Manoj> Hi,
    >>> "Joseph" == Joseph Carter <knghtbrd@debian.org> writes:

    Joseph> It does matter.  You have to be certain.  A person I know
    Joseph> well enough that I would recognize their voice, have seen
    Joseph> their ID, and calling me to verify keyid, size, and
    Joseph> fingerprint is good enough for me (because I have good memory
    Joseph> for what people who are ... um, unique and stand out in my
    Joseph> mind (krooger for his trademark silly hat among other things)
    Joseph> is enough for me if I can be certain it's them, but
    Joseph> otherwise, I need to have met them and be sure.

    Manoj>         Heh. Won't do at all, unless you ask them trick questions that
    Manoj>  only they klnow the answers to. (Voices can be forged well enough to
    Manoj>  fool human ears over a phone line)

So I take it the Debian maintainer PGP verification process (with
sending in a signed copy of some valid ID, and then being called on
the phone) is not secure enough for you.

It certainly isn't for me... I wouldn't accept anything *but* another
maintainer's signature.

    Manoj>         I generally ask for two forms of ID, but even that is not
    Manoj>  perfect (nothing is).

Wow, you must be *really* paranoid... ;-)

Bye, J

- -- 
Jürgen A. Erhard      eMail: jae@ilk.de      phone: (GERMANY) 0721 27326
    MARS: http://members.tripod.com/~Juergen_Erhard/mars_index.html
		    "Ever wonder why the SAME PEOPLE
      make up ALL the conspiracy theories?" -- Michael K. Johnson
Version: GnuPG v0.9.5b (GNU/Linux)
Comment: For info see http://www.gnupg.org


Reply to: