[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: testing my pgp/introducing myself



On Fri, 2006-05-05 at 03:27 -0500, Patrick W. Barnes wrote:
> On Thursday 04 May 2006 21:59, Karsten Wade <kwade redhat com> wrote:
> >
> > Missed opportunity at the last FUDCon for a keysigning.  Why don't we
> > care about those anymore?  Don't we need a strong web of trust for
> > Fedora keys to mean anything themselves?
> >
> > Is there any way we can do keysigning parties not in person?  For
> > example ...
> >
> > Okay, I started to write out a process that included pictures of
> > ourselves signed and encrypted and verified ... and it was crazier than
> > ever.
> >
> > Anyone want to start a Fedora Keys SIG that works to get _everyone_ to
> > pause for a keysigning wherever two Fedorans meet in the meat?
> >
> 
> Others may have a different view, but I don't see meeting in person as a 
> requirement for trust among Fedora contributors.  The real purpose of 
> requiring face-to-face contact is to allow identities to be verified.  Since 
> we are identified to each other by our contributions, we have less of a need 
> to attach a GPG key to a face and more need to attach a GPG key to a 
> contributor identity.  

+1. Many Fedora contributors may not be able to meet others
physically...though we do access the same Project services via online
identities, so perhaps Project people or systems could serve as trusted
third-parties in some fashion...

> This can be accomplished through regular usage of 
> keys.  For example, since I always sign my messages, and you can be 
> reasonably sure of my contributor identity, you can infer that it is safe to 
> trust the key that I regularly sign with.  

Lots of the bits that make up a contributor identity are listed on
personal Wiki pages, or in the accounts system... Random thought: The
CLA agreement has to be GPG signed, and the accounts system provides a
list of contributors. Does the database behind the accounts system store
anything relating to GPG?


> It would be just as easy for 
> someone to show up at a FUDCon with an ID card that has my name on it and 
> claim to be me for the sake of getting their key signed, and that's why 
> face-to-face keysigning parties aren't as useful for Fedora contributors.

-- 

Stuart Ellis

stuart elsn org

Fedora Documentation Project: http://fedora.redhat.com/projects/docs/

GPG key ID: 7098ABEA
GPG key fingerprint: 68B0 E291 FB19 C845 E60E  9569 292E E365 7098 ABEA

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]