On Thu, Apr 25, 2002 at 10:11:25AM -0500, Steve Langasek wrote: > > He use his email address in his gpg key but his email address is not > > related to his name. > > > I am sure he is the guy behind the key. > > I started this thread because of the debian implication. > > > I believe that from the pure 'web of trust' point of view I can sign his > > key. > > > Now from the debian point of view, I don't know. > > I understand that the NM process need an ID. So even if I sign his key or > > not, It should not be possible for him to go further without providing a > > gpg key containing his name and signed by a dd. > > So this told me that I can sign his key.
I would hope that the AM would not accept such a signature to pass the identification stage, let alone the DAM. > > But I am not sure there is no flaw in the NM process here : > > . Would an authentification be required if his without-ID key is signed > > by a dd ? > > . What if he add a with-ID uid in his key after. I would not have signed > > this new uid but then I am afraid that he will pass the 'Identification' > > step of the NM process. Even if he add a false identity. > > > My current thought is that I will sign his key if he adds first a uid > > with ID data corresponding to the ID I have checked. Yup, that works. It's still the same key. > Upon rereading, I see what you're asking here. You're worried that if > you sign a uid that doesn't have his name on it, and he adds another uid > later that does have a name on it (not necessarily his), this will > mistakenly be accepted by the DAM as identification, correct? Honestly, > I don't believe DAM is that sloppy, and I wouldn't worry about it... > Given how often people complain about the process being slow, I think > it's clear that DAM takes the job very seriously :) Without firm identification, if he roots all the debian hosts and gets kicked out, he could just create a new email account and do it again. Names aren't optional. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | Dept. of Computing, `. `' | Imperial College, `- -><- | London, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
