* Manoj Srivastava ([EMAIL PROTECTED]) wrote: > Explanation? What we have here is an act of bad faith, in the > guise of demonstrating a weakness. In my experience, one act of bad > faith often leads to others.
pffft. This is taking it to an extreme. He wasn't trying to fake who
he was, it just wasn't an ID issued by a generally recognized
government (or perhaps not a government at all, but whatever). This is
not unlike, say, the ID of a private university (or possibly a public
university since the university itself isn't really a government
institution but rather receives gov't funding, heh, I think). And, as
he points out, it's not like all gov'ts are all that trustworthy or do
much in the way of checking before issueing an ID. It's unfortunate but
it's not something we're likely going to be able to fix (the gov't part
of it anyway).
One thing to consider might be having a select set of people who are
already highly trusted and are knowledgeable about the appropriate way
to handle key generation, key signing, distribution, etc, create
essentially a Debian Certificate Authority. Now, this doesn't *have* to
be done using X.509 certs and openssl, it could be done inside the
framework of the gpg system and would just mean that there's a specific
set of people who are "uploader-key-signers" or some such. These people
would also have the additional task of educating newcomers on the
importance of careful key management, etc.
Obvious initial candidates for this might include: ftpmasters, DAMs,
AMs, debian-keyring maintainer.
Thanks,
Stephen
signature.asc
Description: Digital signature
