Re: PGP and verifying ids / emails

To: jorel@ibm.net
Cc: debian-mentors@lists.debian.org
Subject: Re: PGP and verifying ids / emails
From: Adam Rogoyski <rogoyski@cs.utexas.edu>
Date: Wed, 28 Jul 1999 21:51:33 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.10.9907282146130.15454-100000@hognose.cs.utexas.edu>
In-reply-to: <[🔎] Pine.LNX.3.96.990728175605.5895A-100000@marvin.megadodo.umb>

On Wed, 28 Jul 1999, Jor-el wrote:
> 	Maybe I am being unusually dense here, but what proof did you see
> that the ksteph1@ibm.net id actually belonged to me? For all you know, it
> could be the id used by Bill Gates himself, with my name tagged onto it.
> Unless you look up my ISP records, there is no way you can say that the id
> does or does not belong to me. This is the same for the Jor-el id too.
> Under the circumstances, you should have been able to sign the second one
> too. If I had presented a PGP key with the id of "Kenneth Stephen
> <billg@microsoft.com>" (assuming that this is an email id of Bill Gates),
> would you have signed my key? According to your argument, there would have
> been no reason for you not to. Indeed your whole argument rests on
> trusting me to tell the truth that the email id in question is indeed
> mine. 

   You showed me proof of your IDENTITY.  Your email address is a way to
reach you, and possibly distinguish bobsmith1 from bobsmith2.  You
yourself have signed your own ID, claiming that that is your email
address.  All that's important though is that I know the key belongs to
you.  An email address is just an email address.


> 	If, I become a Debian maintainer, I will indeed provide them with
> my real name. But to continue with your analogy, once I am hired by the
> company, I can have the sysadmin setup my ids to whatever I want to within
> reasonable limits. By the same token, Debian would know what my real name
> is, and anyone who wanted to check could do so. What is so sacred about me
> using another id which Debian would be able to correlate to me with the
> SAME AMOUNT OF ACCURACY AND TRUST that they would have for the other id?
> Your argument about them not being able to trust the Jor-el id is based on
> the fact that you didnt sign it. My argument is that there is no reason
> for you not to sign it, and thus it should also be valid for Debian use.

   You can get your @debian.org address to be whatever you want.  You will
still sign your packages with your real name.

   Adam

Reply to:

References:
- Re: PGP and verifying ids / emails
  - From: Jor-el <jorel@marvin.megadodo.umb>

Prev by Date: Re: Again: where to put -doc packages ?
Next by Date: path change.
Previous by thread: Re: PGP and verifying ids / emails
Next by thread: path change.
Index(es):
- Date
- Thread