1 |
* Maik Schreiber <blizzy@g.o> [2002-08-05 12:51]: |
2 |
> |
3 |
> > This is just another way of a challenge/response. I challenge you to |
4 |
> > login into the CVS machine. The same methodology applies. |
5 |
> |
6 |
> Yes, but the SSH approach is different in that I rely on trusting whoever |
7 |
> granted CVS access. Using the telephone approach, there's exactly nobody I |
8 |
> could trust in the first place. |
9 |
|
10 |
Not entirely the case... Daniel could call me, and since I trust |
11 |
daniels PGP key I could have him sign a quote that I state over the phone. |
12 |
|
13 |
"To be or not to be" <-- he signs this and emails me the signature, since |
14 |
I trust his key and the signature validates I have authenticated him |
15 |
over the phone. (Or reasonably sure it is him on the phone, unless he |
16 |
is in collaboration with a 3rd party, then no security system would work). |
17 |
|
18 |
> |
19 |
> > Why not have a key signing party at linux world? |
20 |
> |
21 |
> Think of cost and time. |
22 |
> |
23 |
|
24 |
It takes less than two minutes to verify a person's fingerprint, and to |
25 |
sign a key... |
26 |
|
27 |
-ryan |