On Fri, 2006-05-05 at 03:27 -0500, Patrick W. Barnes wrote: > On Thursday 04 May 2006 21:59, Karsten Wade <kwade@xxxxxxxxxx> wrote: > > > > Missed opportunity at the last FUDCon for a keysigning. Why don't we > > care about those anymore? Don't we need a strong web of trust for > > Fedora keys to mean anything themselves? > > > > Is there any way we can do keysigning parties not in person? For > > example ... > > > > Okay, I started to write out a process that included pictures of > > ourselves signed and encrypted and verified ... and it was crazier than > > ever. > > > > Anyone want to start a Fedora Keys SIG that works to get _everyone_ to > > pause for a keysigning wherever two Fedorans meet in the meat? > > > > Others may have a different view, but I don't see meeting in person as a > requirement for trust among Fedora contributors. The real purpose of > requiring face-to-face contact is to allow identities to be verified. Since > we are identified to each other by our contributions, we have less of a need > to attach a GPG key to a face and more need to attach a GPG key to a > contributor identity. +1. Many Fedora contributors may not be able to meet others physically...though we do access the same Project services via online identities, so perhaps Project people or systems could serve as trusted third-parties in some fashion... > This can be accomplished through regular usage of > keys. For example, since I always sign my messages, and you can be > reasonably sure of my contributor identity, you can infer that it is safe to > trust the key that I regularly sign with. Lots of the bits that make up a contributor identity are listed on personal Wiki pages, or in the accounts system... Random thought: The CLA agreement has to be GPG signed, and the accounts system provides a list of contributors. Does the database behind the accounts system store anything relating to GPG? > It would be just as easy for > someone to show up at a FUDCon with an ID card that has my name on it and > claim to be me for the sake of getting their key signed, and that's why > face-to-face keysigning parties aren't as useful for Fedora contributors. -- Stuart Ellis stuart@xxxxxxxx Fedora Documentation Project: http://fedora.redhat.com/projects/docs/ GPG key ID: 7098ABEA GPG key fingerprint: 68B0 E291 FB19 C845 E60E 9569 292E E365 7098 ABEA
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-docs-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-docs-list