Time to resurrect multi-key signatures in RPM?

[Bojan Smojver]

On Thu, 2008-08-28 at 10:49 +0200, Nils Philippsen wrote:

> Just about every bank in Germany would operate like this. After all, we
> do have a national ID that is hard enough to fake(*) and if you present
> it to entities like banks, they usually make a copy and can verify the
> data on the ID with the "Einwohnermeldeamt" (possibly "residents
> registration office").

In other words, they only marginally trust that ID card. Therefore, they
cross-check with the office (but most likely NOT the person that issued
the card) that what is on that document is ACTUALLY true.

Think of the card as the RPM coming out of Fedora build system, signed
with Fedora key (i.e. all the hard to get paraphernalia that the card is
made of). Think of the phone call to the office as a comparison to an
independently built RPM. Think of the act of opening the bank account as
an independent signatory signing the RPM.

-- 
Bojan