[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I'm not quitting that easy. (Was: Re: I would like to vote also.)



>>>>> "Joseph" == Joseph Carter <knghtbrd@debian.org> writes:

>>>>> "Nicolás" == Nicolás Lichtmaier <nick@debian.org> wrote:

    Nicolás> There isn't a string relationship betwen identification and Debian trust.
    Nicolás> If someone's key is signed, that doesn't mean that the signer certifies a
    Nicolás> person as a good and kosher developer. In the other hand, my key is in the
    Nicolás> keyring and it isn't signed by anyone...

    Nicolás> Not everybody lives a couple of hours away from other developers...

    Joseph> Ahh, but Karl does [...]

  Who do I live near?  I know of Jamie Sharp.  Who else?  I've not met
  them and would like to.  Portland, OR, USA.

    Joseph> [...] - and Karl has a history of asking (in public) for
    Joseph> people to sign his key without proof of identity.  He's
    Joseph> tried very hard in fact.  This rates him as completely
    Joseph> untrusted IMO because he has willingly and repeatedly
    Joseph> tried to compromise our web of trust despite explanations
    Joseph> of just how wrong what he's trying to do is.

 That is not true.  I've tried to prove my identity by signing a scan
 of my state ID with the key and placing that in my home directory on
 people.debian.org.  The few maintainers whom I've met in person can
 look at that ID scan and verify that the man in the photo is the man
 they met.  That was an attempt at verifying my identity.

 It is flawed, however, as I now see.  Someone could conceivably have
 broken into Karl's storage locker where he stashed the contents of
 his apartment before hitchhiking to Ski Villa USA to get a job
 washing dishes... and found the scan of Karl's ID card, created a new
 key, and started trying to get that key in the keyring in preparation
 for total sabotage.

 How can we verify my identity?  You should not "trust me" too much
 until you can verify I'm who I say I am in some way.  `vic'
 conference?  Meet in person?  How?  Sean Perry or Amos Shapirah, whom
 I've met, can verify that the man in the photo on "people" is the man
 they've met.  Neither of them can vouch for my character; we are
 strangers.  Neither of them can vouch that I'm (typing this email)
 the person in that photo either... unless they ask me specific
 questions about our meeting, and I ask them the same sort of
 questions.  It's sort of like the key fingerprint; but more like
 "what did I have for lunch?" or "what did the sign say?".

    Joseph> Further, he has resigned.  Twice that I've seen.  If his resignation
    Joseph> hasn't been officially accepted, I'd question why nothing has been done
    Joseph> about the obvious attack on the project's security.

 It was rash and not well thought out.  My feelings were hurt, I was
 angry, and I "quit".  A day later I'd changed my mind.  I have *not*
 resigned.

 I have *not* attacked the project's security (intentionally).  That
 statement is bordering on libel, IMO.  Please give me the benefit of
 the doubt, and ID me somehow.  Verify that the man who's been typing
 all this email saying he's Karl Hegbloom really is him; the man in
 the photo in people.debian.org:~karlheg/.

 Once again, the public key there on "people" should be considered
 *interim* and not my future official Debian key.  I will create the
 official key in the presence of another developer.  That interim key
 though I can use to verify that it's not been an imposter all this
 time.

 Wish I was out skiing today though...  my new job will pay enough to
 afford to go.  It will be good to get up on Mt. Hood this winter!

 Karl M. Hegbloom <karlheg@debian.org>



Reply to: