1 |
> > * The key should be signed by some central instance for automated |
2 |
> > validity check. |
3 |
> > |
4 |
> > Here things get hairy. How about having recruiter/infra team sign a dev's |
5 |
> > key on completion of the recruitment process? Just a first thought... |
6 |
> |
7 |
> I think this is an important requirement however it's quite difficult |
8 |
> to conduct reliably. A normal keysigning process usually requires |
9 |
> knowing one personally (and perhaps verifying fingerprints over a |
10 |
> phone with voice verification), seeing one's ID personally and the |
11 |
> like. This is probably unfeasible in the Gentoo development |
12 |
> environment (I'm not a dev, though, so I'm just guessing). |
13 |
|
14 |
Well, as long as the signed UID is the specific "Gentoo address UID", this |
15 |
should be no problem, since... |
16 |
|
17 |
* the signature proves the key belongs to the e-mail address, nothing else |
18 |
* the e-mail address is given to the owner of the key during recruitment |
19 |
|
20 |
Meaning nobody is certifying something that he/she does not know already by |
21 |
definition. |
22 |
|
23 |
Please point out any thinkos... :) |
24 |
|
25 |
-- |
26 |
|
27 |
Andreas K. Huettel |
28 |
Gentoo Linux developer |
29 |
dilfridge@g.o |
30 |
http://www.akhuettel.de/ |