On Fri, 2006-05-05 at 03:27 -0500, Patrick W. Barnes wrote:
On Thursday 04 May 2006 21:59, Karsten Wade <kwade(a)redhat.com>
wrote:
>
> Missed opportunity at the last FUDCon for a keysigning. Why don't we
> care about those anymore? Don't we need a strong web of trust for
> Fedora keys to mean anything themselves?
>
> Is there any way we can do keysigning parties not in person? For
> example ...
>
> Okay, I started to write out a process that included pictures of
> ourselves signed and encrypted and verified ... and it was crazier than
> ever.
>
> Anyone want to start a Fedora Keys SIG that works to get _everyone_ to
> pause for a keysigning wherever two Fedorans meet in the meat?
>
Others may have a different view, but I don't see meeting in person as a
requirement for trust among Fedora contributors. The real purpose of
requiring face-to-face contact is to allow identities to be verified. Since
we are identified to each other by our contributions, we have less of a need
to attach a GPG key to a face and more need to attach a GPG key to a
contributor identity.
+1. Many Fedora contributors may not be able to meet others
physically...though we do access the same Project services via online
identities, so perhaps Project people or systems could serve as trusted
third-parties in some fashion...
This can be accomplished through regular usage of
keys. For example, since I always sign my messages, and you can be
reasonably sure of my contributor identity, you can infer that it is safe to
trust the key that I regularly sign with.
Lots of the bits that make up a contributor identity are listed on
personal Wiki pages, or in the accounts system... Random thought: The
CLA agreement has to be GPG signed, and the accounts system provides a
list of contributors. Does the database behind the accounts system store
anything relating to GPG?
It would be just as easy for
someone to show up at a FUDCon with an ID card that has my name on it and
claim to be me for the sake of getting their key signed, and that's why
face-to-face keysigning parties aren't as useful for Fedora contributors.
--
Stuart Ellis
stuart(a)elsn.org
Fedora Documentation Project:
http://fedora.redhat.com/projects/docs/
GPG key ID: 7098ABEA
GPG key fingerprint: 68B0 E291 FB19 C845 E60E 9569 292E E365 7098 ABEA