Re: gpg key validity question

To: debian mentors <debian-mentors@lists.debian.org>
Subject: Re: gpg key validity question
From: Andrew Suffield <asuffield@debian.org>
Date: Thu, 25 Apr 2002 16:36:55 +0100
Message-id: <[🔎] 20020425163655.A11035@doc.ic.ac.uk>
Mail-followup-to: debian mentors <debian-mentors@lists.debian.org>
In-reply-to: <[🔎] 20020425151124.GH8463@netexpress.net>; from vorlon@netexpress.net on Thu, Apr 25, 2002 at 10:11:25AM -0500
References: <[🔎] 20020425140420.GI15122@localhost> <[🔎] 20020425144028.GD8463@netexpress.net> <[🔎] 20020425145631.GP15122@localhost> <[🔎] 20020425151124.GH8463@netexpress.net>

On Thu, Apr 25, 2002 at 10:11:25AM -0500, Steve Langasek wrote:
> > He use his email address in his gpg key but his email address is not
> > related to his name.
> 
> > I am sure he is the guy behind the key.
> > I started this thread because of the debian implication.
> 
> > I believe that from the pure 'web of trust' point of view I can sign his
> > key.
> 
> > Now from the debian point of view, I don't know.
> > I understand that the NM process need an ID. So even if I sign his key or
> > not, It should not be possible for him to go further without providing a
> > gpg key containing his name and signed by a dd.
> > So this told me that I can sign his key. 

I would hope that the AM would not accept such a signature to pass the
identification stage, let alone the DAM.

> > But I am not sure there is no flaw in the NM process here :
> > . Would an authentification be required if his without-ID key is signed
> > by a dd ?
> > . What if he add a with-ID uid in his key after. I would not have signed
> > this new uid but then I am afraid that he will pass the 'Identification'
> > step of the NM process. Even if he add a false identity.
> 
> > My current thought is that I will sign his key if he adds first a uid
> > with ID data corresponding to the ID I have checked. 

Yup, that works. It's still the same key.

> Upon rereading, I see what you're asking here.  You're worried that if
> you sign a uid that doesn't have his name on it, and he adds another uid
> later that does have a name on it (not necessarily his), this will
> mistakenly be accepted by the DAM as identification, correct?  Honestly,
> I don't believe DAM is that sloppy, and I wouldn't worry about it...
> Given how often people complain about the process being slow, I think 
> it's clear that DAM takes the job very seriously :)

Without firm identification, if he roots all the debian hosts and gets
kicked out, he could just create a new email account and do it
again. Names aren't optional.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ | Dept. of Computing,
 `. `'                          | Imperial College,
   `-             -><-          | London, UK


-- 
To UNSUBSCRIBE, email to debian-mentors-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- gpg key validity question
  - From: christophe barbé <christophe.barbe.ml@online.fr>
- Re: gpg key validity question
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: gpg key validity question
  - From: christophe barbé <christophe.barbe@ufies.org>
- Re: gpg key validity question
  - From: Steve Langasek <vorlon@netexpress.net>

Prev by Date: Re: gpg key validity question
Next by Date: Re: gpg key validity question
Previous by thread: Re: gpg key validity question
Next by thread: Re: gpg key validity question
Index(es):
- Date
- Thread