| 1 |
On Tue, Dec 02, 2003 at 03:29:16AM +0000, Luke-Jr wrote: |
| 2 |
> > (1) admin is bottleneck |
| 3 |
> There's a few hours delay from when key is uploaded to dev to when it's copied |
| 4 |
> to cvs anyway... Besides, considering the admin need to create the account in |
| 5 |
> the first place, this isn't really an issue. Existing devs can have keys |
| 6 |
> uploaded before passwords are disabled. |
| 7 |
I do agree that the admin bottleneck isn't as much of a problem as it |
| 8 |
could be, as the admin has to create the account in the first place, but |
| 9 |
that and adding the key can be seperate actions. Eg, admin creates the |
| 10 |
account, and asks user to send ssh key. 3rd party intercepts this |
| 11 |
request, and answers themselves before the new developer does. |
| 12 |
|
| 13 |
> > (2) verifying the key wasnt messed with in transit |
| 14 |
> > your solution really doesnt address either ... in fact the irc thing is a |
| 15 |
> > *really bad* idea ... |
| 16 |
> > after all, dcc/irc is as easy to manipulate as telnet (well even easier :D) |
| 17 |
> Bug freenode to support GPG authentication for registered nicknames? =p |
| 18 |
Pipe dream as that would be very non-standard AFAIK. |
| 19 |
|
| 20 |
Lets go back to your suggestion of GPG-signed mail for a moment. |
| 21 |
That still doesn't provide much help. I can easily generate a GPG key |
| 22 |
with your name and email address on them, and unless you have an |
| 23 |
existing key that is on the web-of-trust, I can't prove that the key is |
| 24 |
actually yours. |
| 25 |
|
| 26 |
-- |
| 27 |
Robin Hugh Johnson |
| 28 |
E-Mail : robbat2@××××××××××××××.net |
| 29 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
| 30 |
ICQ# : 30269588 or 41961639 |
| 31 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives