Quoting Michael Lustfield (2016-06-23 21:27:15) > Somewhere, I saw it mentioned that you should be able to verify based > on history only and their legal name doesn't matter. I don't entirely > disagree. The chances of the NSA building a super computer to > contribute to Debian, become a DD, and add backdoors into unwatched > packages are pretty low. However, this does create hurdles for someone > that has left the project under poor circumstances to build a new > identity that they use to harm the project. It's also comforting to > imagine every DD/DM is real person, just like the rest of us, and is > the person they claim to be. Beare not to confuse matters: PGP signing do *not* imply judgement of social intent or coding skills! PGP signing is *only* about identification. Only when reliable identification is established can we on top of that - but _separately_ from the identification, do e.g. endorsements. When I sign keys of others, I insist on spending time with them first, but only to try memorize them for a later "lineup", not to judge their skills or attitude or political agenda. I would sing the key of a complete lunatic, if only I felt confident that I could reasonably reliably identify that person again later. - Jonas P.S. Probably not a _complete_ lunatic: If I get the impression that the person is incapable of handling PGP signing properly, then I will also not sign: If e.g. they handle their secret material too sloppily then others might too easily get hold of it and impersonate as them, effectively leading me unable to re-identify later (I would fail at recognizing the impersonator!). -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature