On Thu, Apr 25, 2002 at 10:56:31AM -0400, christophe barbé wrote: > I forgot to mention that we exchanged encrypted secret words and that I > check the fingerprint when I meet him. > He use his email address in his gpg key but his email address is not > related to his name. > I am sure he is the guy behind the key. > I started this thread because of the debian implication. > I believe that from the pure 'web of trust' point of view I can sign his > key. > Now from the debian point of view, I don't know. > I understand that the NM process need an ID. So even if I sign his key or > not, It should not be possible for him to go further without providing a > gpg key containing his name and signed by a dd. > So this told me that I can sign his key. > But I am not sure there is no flaw in the NM process here : > . Would an authentification be required if his without-ID key is signed > by a dd ? > . What if he add a with-ID uid in his key after. I would not have signed > this new uid but then I am afraid that he will pass the 'Identification' > step of the NM process. Even if he add a false identity. > My current thought is that I will sign his key if he adds first a uid > with ID data corresponding to the ID I have checked. Upon rereading, I see what you're asking here. You're worried that if you sign a uid that doesn't have his name on it, and he adds another uid later that does have a name on it (not necessarily his), this will mistakenly be accepted by the DAM as identification, correct? Honestly, I don't believe DAM is that sloppy, and I wouldn't worry about it... Given how often people complain about the process being slow, I think it's clear that DAM takes the job very seriously :) Steve Langasek postmodern programmer
Attachment:
pgpUJ5gYQY87R.pgp
Description: PGP signature