| 1 |
On 01/04/2017 02:47 PM, Kristian Fiskerstrand wrote: |
| 2 |
> On 01/04/2017 06:58 PM, Kristian Fiskerstrand wrote: |
| 3 |
>> With increasing focus on security in various contexts I'd like to |
| 4 |
>> propose that we start discussing catching up with other distributions |
| 5 |
>> and start requiring new developers' OpenPGP keyblocks to have at least |
| 6 |
>> two signatures from existing developers before applications can be |
| 7 |
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
| 8 |
>> |
| 9 |
|
| 10 |
By analogy with the CA system for websites: I don't care if the |
| 11 |
government of China thinks you're the Bank of America. All I want to |
| 12 |
know is, are you the guy that has my money? |
| 13 |
|
| 14 |
Likewise, I don't care if MichaĆ thinks you look like Kristian |
| 15 |
Fiskerstrand. All I want to know is, are you the guy that passed the |
| 16 |
quizzes and pasted his key into LDAP? You can change your name, move to |
| 17 |
another country, switch genders -- I don't care -- you'll always be |
| 18 |
0x0B7F8B60E3EDFAE3 to me. Having others verify your name is interesting |
| 19 |
metadata, but it isn't your primary key. |
Archives