| 1 |
I'm not sold -- I just don't see how having my key signed provides any |
| 2 |
additional trust at this point. It looks like the closest developers to |
| 3 |
me are pesa and tetromino (hi!) at around 45 miles. |
| 4 |
|
| 5 |
Suppose I go meet Davide. We can either, |
| 6 |
|
| 7 |
a) Verify that we both have driver's licenses with the correct |
| 8 |
information, and sign each others keys to verify that we |
| 9 |
are who we say we are. This provides no additional security, |
| 10 |
because my legal name isn't what I use to commit, nor is it |
| 11 |
what you use to verify my commits. |
| 12 |
|
| 13 |
b) Verify that we can each SSH into dev.gentoo.org, confirming |
| 14 |
that I am really mjo and that he is really pesa. Again, we |
| 15 |
already know that the guy who has mjo's key is mjo and the guy |
| 16 |
who has pesa's key is pesa. Nothing new is learned. |
| 17 |
|
| 18 |
If we do both, then you've learned that mjo was Michael Orlitzky at one |
| 19 |
point in time. That's interesting metadata, but how does it provide |
| 20 |
security? |
Archives