On Thu, 25 May 2006, Manoj Srivastava wrote: > It has come to my attention that Martin Kraff used an > unofficial, and easily forge-able, identity device at a large key [...]
Should you not have *signed* a message of this sort? I certainly won't do anything until I know for sure it came from you. And preferably, we need to hear Martin's side as well, before doing anything hasty (like either signing keys, or revoking signatures of keys). > Based on this, I strongly suggest that mere signatures on a > new maintainers key from a DD be also not enough, since people have We need an alternative, then. Any ideas? The easy answer are passports, but not everyone has passports with proper security devices (and I mean this as not everyone lives in a *country* which issues such passports, so they are effectively impossible to get for these people). And we don't teach DDs how to verify those either (which we should, it is always a good idea to know these things. Any pointers?). > now effectively proven how easily signatures may be obtained at a > large KSP by just about anyone with money for a easily faked ID. This has been a question of trusting enough people to not to game the system since day one, and you know it. Fortunately, up until now, nobody had tried to do so... *that we know of*. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh _______________________________________________ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
