[SGVLUG] any Debian developers in the area / keysigning for prospective debian developer

John Kreznar jek at ininx.com
Sat Mar 1 13:35:35 PST 2014


In a posting lacking a digital signature, it is written:

> On Sat, Mar 1, 2014 at 12:09 PM, John Kreznar <jek at ininx.com> wrote:

>> What matters is that the mind that wrote the software and the mind that
>> knows the passphrase to the GPG key are one and the same.  Physical
>> appearance is irrelevant.

> For signing packages, yea.  But for proving that you are this person
> with a certain key, yes, it is relevant.

Ask this person to sign something, and then verify the signature.

> Which brings me back to your point, what would your solution to this?
> (you meet someone, checked their ID, exchanged keys, and then took
> them on their word that they are the true authors of the package)

The physical meeting, their "ID", and their word add nothing to the
assurance you get by verifying their signature on something.  The key IS
the relevant ID.

-- 
OpenPGP key: http://ininx.com
 John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20140301/e2c5fcb2/attachment.pgp>


More information about the SGVLUG mailing list