1 |
On Fri, Mar 25, 2011 at 4:33 PM, Andreas K. Huettel wrote: |
2 |
>> and no where do we require you to generate a gpg key bound to the |
3 |
>> Gentoo e-mail address. we require you to provide a gpg key only. |
4 |
>> like you said *right here*, we have 0 information to identify you, and |
5 |
>> using a Gentoo e-mail address adds *nothing* to that. so why add a |
6 |
>> completely useless requirement ? |
7 |
> |
8 |
> Because, pointing out the obvious, the key can contain all sorts of random true or false information. I could have an user id saying "Barack Obama <president@××××××××××.gov>". |
9 |
> |
10 |
> To be able to do key validation based on gpg's mechanisms, an userid needs to be signed. As e.g. Scarabeus and Wired can confirm, I'm definitely not Barack Obama, but for less obvious cases the validity of the provided identity may be unclear. |
11 |
> |
12 |
> Now, if I add an userid "<dilfridge@g.o>" to my key, this userid does not contain any information that is not already verified and "in the Gentoo infra data". So, this one userid could be signed immediately by a central instance without any further fuss. |
13 |
|
14 |
first off, fix your e-mail client. this long line crap is ridiculous. |
15 |
|
16 |
second, anyone can add/remove e-mail addresses. we arent verifying |
17 |
e-mail addresses, we're verifying keys. the *only* thing that matters |
18 |
is that the key we have on file (0xabcd) is the one that was used to |
19 |
sign. |
20 |
|
21 |
> It's imho not a hard requirement, but it considerably eases administration. So why not require it for devs? |
22 |
|
23 |
it makes 0 difference to administration |
24 |
-mike |