[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please revoke your signatures from Martin Kraff's keys

On 25 May 2006, Thomas Bushnell told this:

> Manoj Srivastava <srivasta@debian.org> writes:
>> It has come to my attention that Martin Kraff used an unofficial,
>> and easily forge-able, identity device at a large key signing party
>> recently.  This was apparently to belabour the obvious point that
>> large KSP's are events where it is hard to reasonably check. in a
>> large international KSP, anything beyond matching
>> pictures/names/expiry dates, especially after an hour or so after
>> starting.
> So, you are confident that the person who did this is in fact Martin
> Kraff, right?

        not any more.

>> Based on this, I strongly suggest that mere signatures on a new
>> maintainers key from a DD be also not enough, since people have now
>> effectively proven how easily signatures may be obtained at a large
>> KSP by just about anyone with money for a easily faked ID.
> What would you suggest instead?

        Stop signing keys for Debian developers, since purchased ID's
 are acceptable in this community? ;) At this point, I am not sure what
 my stance is going to be.

The Law of the Letter: The best way to inspire fresh thoughts is to
seal the envelope.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: