Aníbal Monsalve Salazar wrote: > As I wrote, please you don't have to trust either me nor Graham > Wilson. All points raised by vorlon below are valid.
There's another disappointing thing on the KSP last week. Well, a couple. I know most of the local people (or some other minorities who are not used to large KSP) doesn't understand how KSP are organized, how they are made. More information regarding this should be done, it is a completely pain in the ass having people making huge gaps because they don't understand or remember what they should do (Moray could remember this when the KSP started, as I explained desperately in Spanish, a local person what he should do it). I know this is not on our hand, but something should be done to prevent this stuff to happen. That first guy in front of me wasn't the only one in this situation. I guess I'm making a personal policy to not sign any key generated in less than 6 months. Otherwise, I don't trust enough if the other person really understands what a signing exchange is. Another dissappointing fact is that some of the people who were at the KSP, also signed some of them who weren't. I know this from a first hand contact who didn't attend the party (he was in the list, though), and received his signed key by mail (and he didn't exchange IDs with anybody before or after the KSP, he didn't do any key exchanging or anything at all, and he _did_ get some signed keys), probably by four or five persons, as I was told. That makes me completely skeptical on attending any KSP in the future, what's the point if people don't understand what they are doing or if people don't really care to whom they sign keys? Where does the web of trust really end? > >5. the victim claims to have verified a checksum that they did not. > >6. the fraudulent key is signed, allowing the KSP organizer to impersonate > > the victim to the community. That's a shame actually. I know some of the guys around me asking me to repeat the MD5 sum that madduck have just said loud, so they could write it down since a) they didn't understand a character or got lost, or b) they don't understand a bit of English to get the characters dictated. Then why should I trust those persons? And I bet all of them confirmed to have checked fingerprint and the MD5 sum of the file while signing, as a robot process without understand everything happening around them. I also get to one person which, by joking, I asked his passphrase and he started to read his fingerprint. That only shows some of the people don't understand what GPG/PGP is and confuses terms and the like. > >So if you don't get a signature from me this year, come to DebConf again > >next year and this time don't let Anibal fill out the checksum for you. :) When the additional printouts were ready, I was in Oaxtepec and couldn't print it personally at home or office. I asked gram if they (the orga team) had an available printer I could use. He asked me what I needed to print and I said that the additional KSP printout. He replied that Anibal would have some printouts available for everybody and since I don't really like all this issue on getting the papers by 3rd parties I told him I'd prefer to print it myself. After a few attempts to print, I couldn't do it, since the printer was broken/out of something and I had to fall back into the Anibal additional printouts (those who weren't signed manually by him). That makes me thing on something: a) Not additional list should be generated, and b) If people don't bring the printouts verified at home previously, they couldn't attend the KSP. Just my 2 pesos cents :) -- David Moreno Garza <[EMAIL PROTECTED]> | http://www.damog.net/ <[EMAIL PROTECTED]> | GPG: C671257D Imagine a large red swirl here. _______________________________________________ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
