[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PGP and verifying ids / emails (fwd)

Aarrgh! Wrong To: address!


Our little systems have their day;
They have their day and cease to be;
They are but broken lights of thee.
		-- Tennyson

---------- Forwarded message ----------
Date: Tue, 27 Jul 1999 12:51:44 -0500 (CDT)
From: Jor-el <jorel@marvin.megadodo.umb>
To: debian-mentors@list.debian.org
Subject: PGP and verifying ids / emails

Hi,

	I recently had a developer sign my PGP key, but I havent yet
resolved in my own mind some of the points he brought up.

	I use two email ids : this one (Jor-el <jorel@ibm.net>) and
another one which uses my real name, and which for the purposes of this
discussion, I will say is : "Bob Smith" <bob_smith@ibm.net>.

	I met the developer in person, and we exchanged PGP fingerprints.
I provided him my PGP fingerprints for both my ids. I later sent him my
public keys for signing (via an email using the Jor-el id), and he signed
the Bob Smith id. He said that he couldnt sign the second (Jor-el) id
since he hadnt seen any proof that I was in fact Jor-el. 

1.  Should he have signed my PGP key if the id I sent him was "Bob Smith"
<jorel@ibm.net> . The "Bob Smith" tag is totally arbitrary and has less
permanance than the actual email id attached to it. If he could sign it
with the "Bob Smith" tag attached to it, why wouldnt he be able to sign a
key for the same email id with the "Jor-el" tag attached to it?

2.  Lets assume that the answer to question (1) is that under no
circumstances should he sign the Jor-el id. Would the Jor-el id be
considered trustworthy enough for Debian, if I signed it with my "Bob
Smith" PGP key (and given the fact that I had a trusted developer sign the
Bob Smith key)? I would be inclined to say 'yes' since, Jor-el could in
fact be a totally separate individual, whose key could have been signed by
me ("Bob Smith") - after which Jor-el would then be PGP trusted. 

3.  The developer also mentioned that all Debian developer records are
correlated against the real name. I would have no problems providing both
my ids to the new-maintainer group and verifying my Bob Smith id to them.
But would I be permitted to do uploads or whatever that requires a PGP
signature by a signed (by Bob Smith) key of Jor-el. For the curious, its
just that I organized all my Debian activities on my machine around this
id, while using my other id for non-Debian activities. It would be a great
pain to change this.

Regards,
Jor-el

Our little systems have their day;
They have their day and cease to be;
They are but broken lights of thee.
		-- Tennyson
Reply to: