[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys

* Manoj Srivastava (srivasta@debian.org) wrote:
>         Explanation? What we have here is an act of bad faith, in the
>  guise of  demonstrating a weakness. In my experience, one act of bad
>  faith often leads to others.

pffft.  This is taking it to an extreme.  He wasn't trying to fake who
he was, it just wasn't an ID issued by a generally recognized
government (or perhaps not a government at all, but whatever).  This is
not unlike, say, the ID of a private university (or possibly a public
university since the university itself isn't really a government
institution but rather receives gov't funding, heh, I think).  And, as
he points out, it's not like all gov'ts are all that trustworthy or do
much in the way of checking before issueing an ID.  It's unfortunate but
it's not something we're likely going to be able to fix (the gov't part
of it anyway).

One thing to consider might be having a select set of people who are
already highly trusted and are knowledgeable about the appropriate way
to handle key generation, key signing, distribution, etc, create
essentially a Debian Certificate Authority.  Now, this doesn't *have* to
be done using X.509 certs and openssl, it could be done inside the
framework of the gpg system and would just mean that there's a specific
set of people who are "uploader-key-signers" or some such.  These people
would also have the additional task of educating newcomers on the
importance of careful key management, etc.

Obvious initial candidates for this might include: ftpmasters, DAMs,
AMs, debian-keyring maintainer.



Attachment: signature.asc
Description: Digital signature

Reply to: