On Sun, Jun 19, 2005 at 03:19:14PM +1000, Brian May wrote: > >>>>> "Steve" == Steve Langasek <email@example.com> writes: > > >> Is this process "correct"? Or did something go seriously wrong > >> here? If it was correct, why was it correct? If it was wrong, > >> why was it wrong? > > For anyone who didn't pick it up; I lied: <firstname.lastname@example.org> isn't my > email address. > > Steve> Many people consider all of options a), b), and c) to be > Steve> inappropriate, and will instead encrypt each of the uid > Steve> signatures individually and mail them to the corresponding > Steve> email address, to verify that you control each address. > > I didn't see any key signing HOWTO or FAQ that mentioned this, not > even the Debian guide. Do you have a reference? > > However, if I was able to intercept email to <email@example.com> (maybe > I have exploited a security hole in master.debian.org that hasn't been > discovered/fixed yet), this wouldn't help. DD's from time to time are MIA, busy, on vacation, etc. Is that not another form of 'security hole'? Would this not allow time for someone to: intercept mail, NMU, etc. Cheers, Kev <much snippage>> -- counter.li.org #238656 -- goto counter.li.org and be counted! `$' $' $ $ _ ,d$$$g$ ,d$$$b. $,d$$$b`$' g$$$$$b $,d$$b ,$P' `$ ,$P' `Y$ $$' `$ $ "' `$ $$' `$ $$ $ $$ggggg$ $ $ $ ,$P"" $ $ $ `$g. ,$$ `$$._ _. $ _,g$P $ `$b. ,$$ $ $ `Y$$P'$. `Y$$$$P $$$P"' ,$. `Y$$P'$ $. ,$.
Description: Digital signature