On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote: > Nothing that a general software developer can do to check an > ID is proof against a determined individual, we all assume that there > is a gentleman's agreement in place that such an attack is not > mounted.
I assume no such thing. I maintain a healthy degree of skepticism regarding the true motives and identities of everyone, including those whose keys I've signed. It just doesn't interfere with my ability to work with people in advancement of Debian's goals, because I recognize that statistically it can't *matter*: assuming the worst about people is no better than assuming the best, because it basically requires throwing away all collaboration in a project like this in spite of the fact that in over 10 years of Debian's existence there hasn't been a single recorded instance of a package trojaning. But this is far from assuming that there's a gentleman's agreement in place -- a gentleman's agreement with people I don't know to be gentlemen in the first place is worth the paper it's printed on. OTOH, a gentleman's agreement with people I know *not* to be gentlemen is worth exactly the same, so I have no reason to wish to penalize someone for "cracking" a KSP in this manner. When I sign a key, I am not asserting that I know beyond any doubt that the keyholder is who they claim to be -- I am only asserting that, *to the best of my ability*, I have verified this. Anyone who thinks that the best of my ability includes detecting any and all forged IDs is pretty delusional, but the best of my ability *should* include confirming that an ID is a form of ID that I'm capable of recognizing, which means that I failed miserably at this KSP. > > In other words, Bubba sells forgeries, but the Transnational > > Republic does not. > Riiight. And I know that how? In other better words, Bubba is known to sell forgeries, but the Transnational Republic is not known to sell them. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
