On 25 May 2006, Thomas Bushnell told this:
> Manoj Srivastava <[EMAIL PROTECTED]> writes:
>
>> It has come to my attention that Martin Kraff used an unofficial,
>> and easily forge-able, identity device at a large key signing party
>> recently. This was apparently to belabour the obvious point that
>> large KSP's are events where it is hard to reasonably check. in a
>> large international KSP, anything beyond matching
>> pictures/names/expiry dates, especially after an hour or so after
>> starting.
>
> So, you are confident that the person who did this is in fact Martin
> Kraff, right?
not any more.
>> Based on this, I strongly suggest that mere signatures on a new
>> maintainers key from a DD be also not enough, since people have now
>> effectively proven how easily signatures may be obtained at a large
>> KSP by just about anyone with money for a easily faked ID.
>
> What would you suggest instead?
Stop signing keys for Debian developers, since purchased ID's
are acceptable in this community? ;) At this point, I am not sure what
my stance is going to be.
manoj
--
The Law of the Letter: The best way to inspire fresh thoughts is to
seal the envelope.
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
