| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On Tuesday 02 December 2003 06:11, Luke-Jr wrote: |
| 5 |
> In which case, one would need to establish that they are actually |
| 6 |
> talking with the person who is to give the key and be sure that it is |
| 7 |
> not someone else they are talking with. |
| 8 |
> I don't see how this is any less an issue with sending new devs |
| 9 |
> passwords, anyway... |
| 10 |
|
| 11 |
In which way is this different from telling someone the temporary |
| 12 |
password over ssh. How can you know that you are talking to the actual |
| 13 |
prospective dev. If that prospective dev has allready used pgp to sign |
| 14 |
his messages to the list, one can be fairly sure that you are talking to |
| 15 |
the person that you intent to make a dev, else, yeah, well... that is a |
| 16 |
problem not specific to ssh keys and has more to do with social |
| 17 |
engineering. Is it possible to "infiltrate" an organization like gentoo? |
| 18 |
And is this risk a real risk. |
| 19 |
|
| 20 |
Paul |
| 21 |
|
| 22 |
- -- |
| 23 |
Paul de Vrieze |
| 24 |
Gentoo Developer |
| 25 |
Mail: pauldv@g.o |
| 26 |
Homepage: http://www.devrieze.net |
| 27 |
-----BEGIN PGP SIGNATURE----- |
| 28 |
Version: GnuPG v1.2.3 (GNU/Linux) |
| 29 |
|
| 30 |
iD8DBQE/zFwmbKx5DBjWFdsRAtcVAJ9hNzHDxDdqa2MWywdJi6XElRQ55ACeN7sq |
| 31 |
CDICcIrBZFhbd43ciB0WWTM= |
| 32 |
=m9V3 |
| 33 |
-----END PGP SIGNATURE----- |
| 34 |
|
| 35 |
|
| 36 |
-- |
| 37 |
gentoo-dev@g.o mailing list |
Archives