On Fri, 2005-01-21 at 00:01 +0000, Luke-Jr wrote: > On Thursday 20 January 2005 11:16 pm, Chris Gianelloni wrote: > > On Thu, 2005-01-20 at 21:51 +0000, Luke-Jr wrote: > > > Identification does, maybe, but identification of abilities, not > > > identification of name. > > > > Except we've mostly been talking about GPG keys... which we use for > > pretty much two things... to determine that the person sending the email > > is in fact the person we think they are, and to sign releases/packages > > (eventually) to determine that the package was indeed added to the tree > > by the person it says it was. > > None of that needs names or email addresses to do. You just need to know that > key X represents the person you expect the email/package to be from. > Keys are used to determine that the person who signed one email/package/etc > is > the same person that signed another email/package/etc. Using names to > determine this is actually a very bad idea. Are you going to sign Daniel > Robbins (of Microsoft)'s key just because you've used and trust ebuilds from > somebody named Daniel Robbins? If you've never met D.Robbins (of Gentoo) > before, there is nothing in your keysigning scheme to prevent you from > signing a key D.Robbins (of Microsoft) has for the purpose of imitating him.
No, because I wouldn't be base enough to sign the key without doing verification that the person I had met did indeed also control the email address and GPG key that I was presented with at the event. > > > I would argue that this is more of a rationale for different signature > > > types. "I know this key is used for honest representation." (what I > > > consider key sigs to be right now), "I trust the person this key > > > represents with some things of mine", and "I trust the person this key > > > repesents with any access that I have." > > > Just because I sign Mr. Green's key doesn't mean I am guaranteeing he > > > won't kill Mrs. White with the candlestick. All I'm saying is that the > > > particular Mr. Green I know uses this key for legitimate purposes and is > > > not attempting to represent somebody else. > > > > Exactly. The point of the ID is that you are signing a key of someone > > that you might not know, and you want to be sure that someone else isn't > > trying to represent them. > > Many people have the same name. An ID isn't going to help you differentiate > between them. Which is why you do not just check an ID. Are you really this dense? > > > I'm unaware of any mail program that has the ability to have a different > > > default for mailing lists. > > > > Actually, that is pretty easy. All you need to do is setup something > > like [EMAIL PROTECTED] and set the preference for that address > > to not send them. You could even use the exact same email address. > > KMail doesn't support per-sender MDN preferences. Does Evolution? > Either way, stripping the header at the list works fine. -- Chris Gianelloni Release Engineering - Operations/QA Manager Games - Developer Gentoo Linux
signature.asc
Description: This is a digitally signed message part
