1 |
On Thu, Jan 31, 2019 at 8:56 AM Michał Górny <mgorny@g.o> wrote: |
2 |
> |
3 |
> 1. It is entirely customary and therefore requires customized software |
4 |
> to use. In other words, it's of limited usefulness to people outside |
5 |
> Gentoo or does not work out of the box there. |
6 |
|
7 |
This part could be addressed easily by having Gentoo create a signing |
8 |
key, and automatically signing all dev keys based on LDAP using it. |
9 |
Then users can trust that one key and inherit trust for the rest. |
10 |
|
11 |
Users have to opt into the trust model by trusting somebody's key no |
12 |
matter what. No reason that couldn't be a centrally-managed one. |
13 |
|
14 |
I'll also agree with the comment that physically interacting with |
15 |
people is not all that easy. There are many areas of the world where |
16 |
FOSS developers are relatively uncommon, let alone Gentoo ones. |
17 |
Unless those alternate organizations have VERY broad coverage (such as |
18 |
an alternative of a notary recognized by any country or something like |
19 |
that) you're still going to have issues. |
20 |
|
21 |
> Verify the person's real name (at least for the user identifier |
22 |
> used for copyright purposes). This is usually done through |
23 |
> verifying an identification document with photograph. It is |
24 |
> a good idea to ask for the document type earlier, and read on |
25 |
> forgery protections used. |
26 |
|
27 |
"usually"? "identification document"? Does this mean that an |
28 |
appropriate method of verification is entirely up to individual |
29 |
discretion? If so that makes the process of getting every key signed |
30 |
fairly trivial as long as two people have (in?)appropriately-rigorous |
31 |
standards... |
32 |
|
33 |
-- |
34 |
Rich |