Re: Authentication with LP for DD's using gnupg
On Fri, Aug 01, 2008 at 12:07:34PM +0200, Martin Zobel-Helas wrote:
> On Fri Aug 01, 2008 at 10:42:52 +0100, Neil Williams wrote:
> > > On Sun, Jul 27, 2008 at 03:58:57PM +0100, Neil Williams wrote:
> > > > > > * Reinhard Tartler [Wed, Jul 23 2008, 04:36:39PM]:
> > > > > >> > How about activating it the first time they send a gpg-signed
> > > mail to
> > > > > >> > the mail interface?
> > > > How about simply allowing any DD to send gpg-signed email to add
> > > ^^
> > > That requires LP to know who is or isn't a DD. Currently it has no
> it does or at least it may.
> rsync keyring.debian.org::keyrings/keyrings/debian-keyring.gpg
> can be synced publicly
Well, what trust path does that give us if LP uses rsync to copy the data?
It would seem possible for someone to steal a DD's LP account then by
MITM'ing this rsync.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/