1 |
On Fri, 25 Mar 2011 10:44:31 +0100 |
2 |
"Andreas K. Huettel" <dilfridge@g.o> wrote: |
3 |
|
4 |
> * the signature proves the key belongs to the e-mail address, nothing |
5 |
> else |
6 |
|
7 |
Anyone could generate a signature with one of my @g.o e-mail addresses |
8 |
in it, then pass themselves off as myself, right? If they then trick you |
9 |
into thinking that I sent the mail you received, signed with their key, |
10 |
they're all set. Having the "right" e-mail address in the key would not |
11 |
improve anything. |
12 |
|
13 |
> * the e-mail address is given to the owner of the key during |
14 |
> recruitment |
15 |
|
16 |
It's been a while, but I am certain I did not have a @gentoo.org |
17 |
address yet _during_ recruitment, and I was instead asked to provide an |
18 |
address that I _did_ already use. It looks like that still has not |
19 |
changed.[1] Looking at the e-mail from that time, it seems I had been |
20 |
asked to sign my SSH key with it and send it to recruiters@. |
21 |
|
22 |
|
23 |
jer |
24 |
|
25 |
|
26 |
[1] http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 |