| 1 |
* Maik Schreiber <blizzy@g.o> [2002-08-05 12:51]: |
| 2 |
> |
| 3 |
> > This is just another way of a challenge/response. I challenge you to |
| 4 |
> > login into the CVS machine. The same methodology applies. |
| 5 |
> |
| 6 |
> Yes, but the SSH approach is different in that I rely on trusting whoever |
| 7 |
> granted CVS access. Using the telephone approach, there's exactly nobody I |
| 8 |
> could trust in the first place. |
| 9 |
|
| 10 |
Not entirely the case... Daniel could call me, and since I trust |
| 11 |
daniels PGP key I could have him sign a quote that I state over the phone. |
| 12 |
|
| 13 |
"To be or not to be" <-- he signs this and emails me the signature, since |
| 14 |
I trust his key and the signature validates I have authenticated him |
| 15 |
over the phone. (Or reasonably sure it is him on the phone, unless he |
| 16 |
is in collaboration with a 3rd party, then no security system would work). |
| 17 |
|
| 18 |
> |
| 19 |
> > Why not have a key signing party at linux world? |
| 20 |
> |
| 21 |
> Think of cost and time. |
| 22 |
> |
| 23 |
|
| 24 |
It takes less than two minutes to verify a person's fingerprint, and to |
| 25 |
sign a key... |
| 26 |
|
| 27 |
-ryan |
Archives