Re: [opensuse-factory] openSUSE Project Signing Key
On Wed, 2008-11-12 at 11:37 +0100, Stephan Kulow wrote:
I hope you trust me.
Nah, how could I! Even though your mail is signed, I don't have your public key, which of course you could send me now by mail. BUT: this could be the same forged accunt sending me any public key that was used previously to sign that email. We could of course get over this obstacle by calling each other and exchanging the finger print via phone. But as I don't know your voice, you could be any random person picking up the phone and telling me the fingerprint of the wrong public key. So there remains: we have to meet... but then: I have no idea how you look, so you could be any person getting this mail and meeting me at the spot we talk about. So: I bring one of my friends that knows a friend who knows a friend that knows a friend that knows you... and if I can trust ALL the elements in the middle, then I might be sure it is you... but only if I'm absolutely certain none of them in the middle was bribed by you in order to hide your real identity. :) Dominique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wed, Nov 12, 2008 at 11:53:31AM +0100, Dominique Leuenberger wrote:
On Wed, 2008-11-12 at 11:37 +0100, Stephan Kulow wrote:
I hope you trust me.
Nah, how could I!
Even though your mail is signed, I don't have your public key, which of course you could send me now by mail. BUT: this could be the same forged accunt sending me any public key that was used previously to sign that email.
Well, that's what keyservers are for, and coolo's key is signed by a long list of people who could have been forging a lot of suse accounts. ;-) You could, of course, enter the (G)PG(P) trust network by creating and uploading your own key, and participate in a few key signing events, which probably would result in a trust chain from you to coolo pretty quickly. But so far the only possibility you have is to drive to Nuernberg, check coolo's passport, and have him read his key fingerprint to you. (And find someone to prove that coolo, the passport, and the SuSE office are not forged.) ;-) cheers, Sonja -- Sonja Krause-Harder (skh@suse.de) SUSE Research & Development ----------------------------------------------------------------- SUSE Linux Products GmbH GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Mittwoch 12 November 2008 schrieb Dominique Leuenberger:
On Wed, 2008-11-12 at 11:37 +0100, Stephan Kulow wrote:
I hope you trust me.
Nah, how could I!
Even though your mail is signed, I don't have your public key, which of course you could send me now by mail. BUT: this could be the same forged
See how it can look: http://webware.lysator.liu.se/jc/wotsap/wots/latest/paths/0x609F05C1-0x5063A... I never met Vincent, but have no reason not to believe his signatures Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (3)
-
Dominique Leuenberger
-
Sonja Krause-Harder
-
Stephan Kulow