| 1 |
> > * The key should be signed by some central instance for automated |
| 2 |
> > validity check. |
| 3 |
> > |
| 4 |
> > Here things get hairy. How about having recruiter/infra team sign a dev's |
| 5 |
> > key on completion of the recruitment process? Just a first thought... |
| 6 |
> |
| 7 |
> I think this is an important requirement however it's quite difficult |
| 8 |
> to conduct reliably. A normal keysigning process usually requires |
| 9 |
> knowing one personally (and perhaps verifying fingerprints over a |
| 10 |
> phone with voice verification), seeing one's ID personally and the |
| 11 |
> like. This is probably unfeasible in the Gentoo development |
| 12 |
> environment (I'm not a dev, though, so I'm just guessing). |
| 13 |
|
| 14 |
Well, as long as the signed UID is the specific "Gentoo address UID", this |
| 15 |
should be no problem, since... |
| 16 |
|
| 17 |
* the signature proves the key belongs to the e-mail address, nothing else |
| 18 |
* the e-mail address is given to the owner of the key during recruitment |
| 19 |
|
| 20 |
Meaning nobody is certifying something that he/she does not know already by |
| 21 |
definition. |
| 22 |
|
| 23 |
Please point out any thinkos... :) |
| 24 |
|
| 25 |
-- |
| 26 |
|
| 27 |
Andreas K. Huettel |
| 28 |
Gentoo Linux developer |
| 29 |
dilfridge@g.o |
| 30 |
http://www.akhuettel.de/ |
Archives