Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys
On Thu, May 25, 2006 at 04:16:24PM -0500, Manoj Srivastava <firstname.lastname@example.org> wrote:
> The KSP was cracked, People signed a key without ever looking
> at proper, official ID. You can try and save face by calling it
> whatever you want, but that does not change the reality.
Manoj, how do *you* ensure the ID that someone presents you is a proper,
official ID ?
I'm pretty sure we can find official IDs that look so lame that you'd think
it's a fake (the old french ones could be good example, and i know people
who still use that as an ID, though they wouldn't come to a KSP ; they
don't even know what a GPG/PGP key is). You could also find fake IDs that
look quite official.
Actually, the whole thing is that if you want to subvert the key signing
process, you can do it pretty easily. A lot of people buy fake passports
or IDs for whatever reasons ; subverting a KSP is just a new kind of
So, if you're afraid of fake IDs, just stop signing keys.