1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Tuesday 02 December 2003 06:11, Luke-Jr wrote: |
5 |
> In which case, one would need to establish that they are actually |
6 |
> talking with the person who is to give the key and be sure that it is |
7 |
> not someone else they are talking with. |
8 |
> I don't see how this is any less an issue with sending new devs |
9 |
> passwords, anyway... |
10 |
|
11 |
In which way is this different from telling someone the temporary |
12 |
password over ssh. How can you know that you are talking to the actual |
13 |
prospective dev. If that prospective dev has allready used pgp to sign |
14 |
his messages to the list, one can be fairly sure that you are talking to |
15 |
the person that you intent to make a dev, else, yeah, well... that is a |
16 |
problem not specific to ssh keys and has more to do with social |
17 |
engineering. Is it possible to "infiltrate" an organization like gentoo? |
18 |
And is this risk a real risk. |
19 |
|
20 |
Paul |
21 |
|
22 |
- -- |
23 |
Paul de Vrieze |
24 |
Gentoo Developer |
25 |
Mail: pauldv@g.o |
26 |
Homepage: http://www.devrieze.net |
27 |
-----BEGIN PGP SIGNATURE----- |
28 |
Version: GnuPG v1.2.3 (GNU/Linux) |
29 |
|
30 |
iD8DBQE/zFwmbKx5DBjWFdsRAtcVAJ9hNzHDxDdqa2MWywdJi6XElRQ55ACeN7sq |
31 |
CDICcIrBZFhbd43ciB0WWTM= |
32 |
=m9V3 |
33 |
-----END PGP SIGNATURE----- |
34 |
|
35 |
|
36 |
-- |
37 |
gentoo-dev@g.o mailing list |