| 1 |
On Fri, 25 Mar 2011 10:44:31 +0100 |
| 2 |
"Andreas K. Huettel" <dilfridge@g.o> wrote: |
| 3 |
|
| 4 |
> * the signature proves the key belongs to the e-mail address, nothing |
| 5 |
> else |
| 6 |
|
| 7 |
Anyone could generate a signature with one of my @g.o e-mail addresses |
| 8 |
in it, then pass themselves off as myself, right? If they then trick you |
| 9 |
into thinking that I sent the mail you received, signed with their key, |
| 10 |
they're all set. Having the "right" e-mail address in the key would not |
| 11 |
improve anything. |
| 12 |
|
| 13 |
> * the e-mail address is given to the owner of the key during |
| 14 |
> recruitment |
| 15 |
|
| 16 |
It's been a while, but I am certain I did not have a @gentoo.org |
| 17 |
address yet _during_ recruitment, and I was instead asked to provide an |
| 18 |
address that I _did_ already use. It looks like that still has not |
| 19 |
changed.[1] Looking at the e-mail from that time, it seems I had been |
| 20 |
asked to sign my SSH key with it and send it to recruiters@. |
| 21 |
|
| 22 |
|
| 23 |
jer |
| 24 |
|
| 25 |
|
| 26 |
[1] http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 |
Archives