On Sat, Jun 11, 2005 at 11:17:21PM -0700, Steve Langasek wrote: > > What are we setting out to achieve? > > - To verify that the person so identified controls a specific email address
What does 'control' mean here? Given this: > Many people consider all of options a), b), and c) to be inappropriate, and > will instead encrypt each of the uid signatures individually and mail them > to the corresponding email address, to verify that you control each address. I presume that you just mean 'is capable of receiving mail sent to the address', but that is anybody at all with an internet connection and a copy of woody, which contains all you need to capture other people's mail. I'm not sure why you're bothering to verify that the person so identified falls into this group. Mail delivery is nothing remotely resembling secure. That's why we need keys in the first place (and all you people waving smtp-tls around, go back and think about how useful that's going to be without signing keys). (I can't even be bothered to start laughing at the idea of encrypting signatures. That's just too silly even for ridicule). -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
signature.asc
Description: Digital signature