On Mon, Aug 04, 2003 at 10:41:37AM -0700, Alan Connor wrote: > Funny. I know someone who has 2 of those PGP signatures things, neither of > which use his real name or stats. > > He can prove that he is someone he isn't.
The GPG signature on this mail does not prove that I am Colin Watson. It proves that I'm in possession of the same key that signed all other messages signed by the same key, but that's about it. If you download my key, key ID 10FA4CD1, and do 'gpg --list-sigs 10fa4cd1', however, you'll see the list of other people (strictly, their keys; you'd have to download their keys in turn to see the names) who have met me, verified my identity, and are willing to say that I am who I say I am. People who can find the key of people they know and trust there have evidence that I'm Colin Watson. Also, the keys of all Debian developers - and only Debian developers - are available from keyring.debian.org, so having the key is enough identification to allow me to upload packages. The GPG web of trust among Debian developers is one of the strongest in the world, since we make so much use of it for the project's security. For proof, see the global stats at http://keyserver.kjsl.com/~jharris/ka/2003-07-27/top1000table.html.gz and match up the keys against our keyring. This is a useful defence against people sneaking into the project under false identities; it's not watertight, and it's possible it's been broken, but it's a lot harder than it would be otherwise. > This fellow isn't even a particularly skilled hacker. Well, you certainly haven't mentioned anything that he's done that requires the remotest skill. Here's how to do it: 'gpg --gen-key'. Getting the key signed by someone I trust would be a more impressive trick, as he'd have to be a skilled *social* hacker to do that. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
