[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Authentication with LP for DD's using gnupg

On Fri, Aug 01, 2008 at 12:07:34PM +0200, Martin Zobel-Helas wrote:

> On Fri Aug 01, 2008 at 10:42:52 +0100, Neil Williams wrote:
> > > On Sun, Jul 27, 2008 at 03:58:57PM +0100, Neil Williams wrote:
> > > > > > * Reinhard Tartler [Wed, Jul 23 2008, 04:36:39PM]:

> > > > > >> > How about activating it the first time they send a gpg-signed
> > > mail to
> > > > > >> > the mail interface?

> > > > How about simply allowing any DD to send gpg-signed email to add
> > > ^^

> > > That requires LP to know who is or isn't a DD. Currently it has no

> it does or at least it may. 

> rsync keyring.debian.org::keyrings/keyrings/debian-keyring.gpg 

> can be synced publicly

Well, what trust path does that give us if LP uses rsync to copy the data?
It would seem possible for someone to steal a DD's LP account then by
MITM'ing this rsync.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
Reply to: