| 1 |
* Maik Schreiber <blizzy@g.o> [2002-08-05 08:21]: |
| 2 |
> |
| 3 |
> > As for a keyring - all a developer has to do is create their own key, |
| 4 |
> > and verify the fingerprint with someone... Doing a three way phone call |
| 5 |
> > would work |
| 6 |
> |
| 7 |
> No, it wouldn't. |
| 8 |
> |
| 9 |
> > one person is someone we all trust, |
| 10 |
> |
| 11 |
> Exactly _who_ is that person we all trust? I don't know any of the other |
| 12 |
> devs personally, and when it comes to key(rings), I don't trust any of |
| 13 |
> them either (no offense intended). |
| 14 |
> |
| 15 |
> > the other person is |
| 16 |
> > there to verify the fingerprint (as is the first person), and the last |
| 17 |
> > person is the person being added to the keyring... A simple challenge |
| 18 |
> > and response... |
| 19 |
> |
| 20 |
> I'd rather trust seemant or drobbins or whoever granted CVS access for |
| 21 |
> Gentoo. Every dev can put their public key on the dev machine for one |
| 22 |
> keyring manager to sign them. (This can be done by a 1777 chmod'ed |
| 23 |
> directory.) |
| 24 |
|
| 25 |
This is just another way of a challenge/response. I challenge you |
| 26 |
to login into the CVS machine. The same methodology applies. |
| 27 |
|
| 28 |
Why not have a key signing party at linux world? |
| 29 |
|
| 30 |
-r |
Archives