[SGVLUG] any Debian developers in the area / keysigning for prospective debian developer

Henry B Hotz hbhotz at oxy.edu
Sun Mar 2 12:15:24 PST 2014


On Mar 1, 2014, at 1:35 PM, John Kreznar <jek at ininx.com> wrote:

> In a posting lacking a digital signature, it is written:
> 
>> On Sat, Mar 1, 2014 at 12:09 PM, John Kreznar <jek at ininx.com> wrote:
> 
>>> What matters is that the mind that wrote the software and the mind that
>>> knows the passphrase to the GPG key are one and the same.  Physical
>>> appearance is irrelevant.
> 
>> For signing packages, yea.  But for proving that you are this person
>> with a certain key, yes, it is relevant.
> 
> Ask this person to sign something, and then verify the signature.
> 
>> Which brings me back to your point, what would your solution to this?
>> (you meet someone, checked their ID, exchanged keys, and then took
>> them on their word that they are the true authors of the package)
> 
> The physical meeting, their "ID", and their word add nothing to the
> assurance you get by verifying their signature on something.  The key IS
> the relevant ID.

Agreed, in the digital world, the key is the ID.

But there's always the question of what the key is supposed to represent. Does Debian actually want it to represent real people who are legally responsible for claims they make about code, or merely a unique author identity? Does a trusting user merely want a unique ID for a pen-pal, or something more?

> -- 
> OpenPGP key: http://ininx.com
> John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13

Personal email.  hbhotz at oxy.edu



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20140302/ed14cce6/attachment.html>


More information about the SGVLUG mailing list