[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] Keysigning at LWE
From:       Fred Van Andel <fava () gentoo ! org>
Date:       2003-07-31 17:28:14
[Download RAW message or body]

Corey Shields <cshields@gentoo.org> wrote:
(07/30/2003 10:24)

Sorry about the delay in responding. My firewall/mailserver was down with hardware \
issues.

> On Wed, 2003-07-30 at 11:46, Fred Van Andel wrote:
> > I think some people are getting too hung up on the identity thing.
> > 
> > Within the context of the gentoo community does it matter what the real name of \
> > someone is?  The only identity that ultimately matters is the identity that has \
> > cvs access, and to a lesser extent the identity that appears on irc.
> 
> If someone decides to use a different identity online, that's cool.
> However, they shouldn't take offense to the rest of us signing each
> others keys.
> 
> <snip>
> 
> > To me a signature on a gentoo address means that I am verifying that this \
> > identity is a gentoo developer, and I don't need to see government ID for that. \
> > In fact official ID gets in the way. I know carpaski is a gentoo developer, but I \
> > don't know that this particular individual who is presenting me with ID that says \
> > "Nicolas Jones" is in fact carpaski.  He could be a completely different "Nicolas \
> > Jones" and I have no way of telling them apart.
> 
> Some of us use the gentoo.org address as a secondary UID on our primary
> gpg key.  Therefore, I would rather know that who I am signing (and visa
> versa) is the identity of that person.  Best way to do that is with a
> photo ID.

In my case I have created a seperate key for my gentoo email address so that the key \
can be signed/revoked without affecting my main email address.

> If you have a solution for signing keys of people with identities that
> are not their own, maybe that should be used for those people.  

My point is that there gentoo identity is the one that matters, their real identity \
is irrelevant to gentoo. As far as gentoo is concerned there is only one identity.

If carpaski were to place his key in his protected directory on dev.g.o I would be \
confindant that it is his key (root manipulations aside). The presenance of \
carpaski's key however tells me nothing about Nicolas Jones, that would require more \
conventional proof.

> > I realize this might piss off some and I am sorry, but this has been bothering me \
> > for some time and I want to vent.
> 
> No, not at all..   kind of expected some fallout when I posted the
> idea.  There are a few of us who will be signing our keys when we meet
> at LWE, and so we just wanted to extend the invitation to anyone else in
> the gentoo community.

I have absolutely no objection to key signings, my objection is within gentoo they \
are not strictly necessary.  The requirement for confirming physical ID's will not be \
easy since we are a global orginization.  The infrastructure changes that are coming \
regarding signing and verifying ebuilds and such will be hard to set in place unless \
everyones signes and is signed.

Fred Van Andel
fava@gentoo.org
GPG KeyID: 76526AD599455482  
GPG fingerprint: 64E4 4BAB 9C99 D565 3E3C F5D0 7652 6AD5 9945 5482


--
gentoo-dev@gentoo.org mailing list


[prev in list] [next in list] [prev in thread] [next in thread]