1 |
* Maik Schreiber <blizzy@g.o> [2002-08-05 08:21]: |
2 |
> |
3 |
> > As for a keyring - all a developer has to do is create their own key, |
4 |
> > and verify the fingerprint with someone... Doing a three way phone call |
5 |
> > would work |
6 |
> |
7 |
> No, it wouldn't. |
8 |
> |
9 |
> > one person is someone we all trust, |
10 |
> |
11 |
> Exactly _who_ is that person we all trust? I don't know any of the other |
12 |
> devs personally, and when it comes to key(rings), I don't trust any of |
13 |
> them either (no offense intended). |
14 |
> |
15 |
> > the other person is |
16 |
> > there to verify the fingerprint (as is the first person), and the last |
17 |
> > person is the person being added to the keyring... A simple challenge |
18 |
> > and response... |
19 |
> |
20 |
> I'd rather trust seemant or drobbins or whoever granted CVS access for |
21 |
> Gentoo. Every dev can put their public key on the dev machine for one |
22 |
> keyring manager to sign them. (This can be done by a 1777 chmod'ed |
23 |
> directory.) |
24 |
|
25 |
This is just another way of a challenge/response. I challenge you |
26 |
to login into the CVS machine. The same methodology applies. |
27 |
|
28 |
Why not have a key signing party at linux world? |
29 |
|
30 |
-r |