On Thu, Apr 25, 2002 at 10:56:31AM -0400, christophe barbé wrote: > I forgot to mention that we exchanged encrypted secret words and that I > check the fingerprint when I meet him. > He use his email address in his gpg key but his email address is not > related to his name. > I am sure he is the guy behind the key. > I started this thread because of the debian implication. > I believe that from the pure 'web of trust' point of view I can sign his > key. > Now from the debian point of view, I don't know. > I understand that the NM process need an ID. So even if I sign his key or > not, It should not be possible for him to go further without providing a > gpg key containing his name and signed by a dd. > So this told me that I can sign his key. > But I am not sure there is no flaw in the NM process here : > . Would an authentification be required if his without-ID key is signed > by a dd ? > . What if he add a with-ID uid in his key after. I would not have signed > this new uid but then I am afraid that he will pass the 'Identification' > step of the NM process. Even if he add a false identity. > My current thought is that I will sign his key if he adds first a uid > with ID data corresponding to the ID I have checked. I still don't understand what you mean by a 'without-ID key'. It's difficult to give you a clear answer unless you can give us tangible information. A PGP uid has three parts to it: a name, an email address, and a comment. What does he have in each of these? If the PGP key he's asking you to sign has a name OTHER than his own on it, then you should NOT sign it: if anything, you should mention this to his AM. If he's trying to become a DD, he will need to have a PGP key that has his real, legal name on it, with a valid email address, and this key must be signed by an existing DD. If he doesn't have a PGP key that has his name on it, that's the first step that he must take. Steve Langasek postmodern programmer
Attachment:
pgpOSsdBuA57e.pgp
Description: PGP signature