On Tue, Dec 02, 2003 at 03:29:16AM +0000, Luke-Jr wrote: > > (1) admin is bottleneck > There's a few hours delay from when key is uploaded to dev to when it's copied > to cvs anyway... Besides, considering the admin need to create the account in > the first place, this isn't really an issue. Existing devs can have keys > uploaded before passwords are disabled. I do agree that the admin bottleneck isn't as much of a problem as it could be, as the admin has to create the account in the first place, but that and adding the key can be seperate actions. Eg, admin creates the account, and asks user to send ssh key. 3rd party intercepts this request, and answers themselves before the new developer does.
> > (2) verifying the key wasnt messed with in transit > > your solution really doesnt address either ... in fact the irc thing is a > > *really bad* idea ... > > after all, dcc/irc is as easy to manipulate as telnet (well even easier :D) > Bug freenode to support GPG authentication for registered nicknames? =p Pipe dream as that would be very non-standard AFAIK. Lets go back to your suggestion of GPG-signed mail for a moment. That still doesn't provide much help. I can easily generate a GPG key with your name and email address on them, and unless you have an existing key that is on the web-of-trust, I can't prove that the key is actually yours. -- Robin Hugh Johnson E-Mail : [EMAIL PROTECTED] Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
pgp00000.pgp
Description: PGP signature
