On Thu, May 25, 2006 at 04:16:24PM -0500, Manoj Srivastava <[EMAIL PROTECTED]> wrote: > The KSP was cracked, People signed a key without ever looking > at proper, official ID. You can try and save face by calling it > whatever you want, but that does not change the reality.
Manoj, how do *you* ensure the ID that someone presents you is a proper, official ID ? I'm pretty sure we can find official IDs that look so lame that you'd think it's a fake (the old french ones could be good example, and i know people who still use that as an ID, though they wouldn't come to a KSP ; they don't even know what a GPG/PGP key is). You could also find fake IDs that look quite official. Actually, the whole thing is that if you want to subvert the key signing process, you can do it pretty easily. A lot of people buy fake passports or IDs for whatever reasons ; subverting a KSP is just a new kind of reason. So, if you're afraid of fake IDs, just stop signing keys. Mike _______________________________________________ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
