Re: kernel.org status: establishing a PGP web of trust

[Jon Masters]

On Sat, 2011-10-08 at 10:36 -0400, Valdis.Kletnieks@xxxxxx wrote:
> On Sat, 08 Oct 2011 01:02:13 EDT, Jon Masters said:
> 
> > What I'm saying is that unless you sign something (random text, my
> > actual key(s)) in my presence, I can't actually know it was you I was
> > dealing with or someone else claiming to be you (or your identity).
> 
> Now see, this is *exacltly* why security people have to be pedantic about
> stuff.  What you originally asked for was "sign random data to demonstrate
> control of the key", and I pointed out that being able to sign a key was as
> good as being able to sign random data to prove control of the key.

Good point about being pedantic, and the rest of your comments :) I
understand that I'm taking this a little far but I'm just trying to
point out one particular gaping hole in the way these things are
currently done. One reason I stopped doing keysigning parties is that I
realized they were mostly a show. You turn up and get a key signed and
then everyone is impressed that you're in the strong set...wupdedoo. Not
that I've anything against signing stuff on kernel.org and trying to
improve things (I've long directly signed everything on master with my
own keys in slight violation of policy, but that turned out to right).

:)

Jon.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/