1 |
I'm not sold -- I just don't see how having my key signed provides any |
2 |
additional trust at this point. It looks like the closest developers to |
3 |
me are pesa and tetromino (hi!) at around 45 miles. |
4 |
|
5 |
Suppose I go meet Davide. We can either, |
6 |
|
7 |
a) Verify that we both have driver's licenses with the correct |
8 |
information, and sign each others keys to verify that we |
9 |
are who we say we are. This provides no additional security, |
10 |
because my legal name isn't what I use to commit, nor is it |
11 |
what you use to verify my commits. |
12 |
|
13 |
b) Verify that we can each SSH into dev.gentoo.org, confirming |
14 |
that I am really mjo and that he is really pesa. Again, we |
15 |
already know that the guy who has mjo's key is mjo and the guy |
16 |
who has pesa's key is pesa. Nothing new is learned. |
17 |
|
18 |
If we do both, then you've learned that mjo was Michael Orlitzky at one |
19 |
point in time. That's interesting metadata, but how does it provide |
20 |
security? |