On Fri, 25 Mar 2011 10:44:31 +0100
"Andreas K. Huettel" <dilfri...@gentoo.org> wrote:
> * the signature proves the key belongs to the e-mail address, nothing
> else
Anyone could generate a signature with one of my @g.o e-mail addresses
in it, then pass themselves off as myself, right? If they then trick you
into thinking that I sent the mail you received, signed with their key,
they're all set. Having the "right" e-mail address in the key would not
improve anything.
> * the e-mail address is given to the owner of the key during
> recruitment
It's been a while, but I am certain I did not have a @gentoo.org
address yet _during_ recruitment, and I was instead asked to provide an
address that I _did_ already use. It looks like that still has not
changed.[1] Looking at the e-mail from that time, it seems I had been
asked to sign my SSH key with it and send it to recruiters@.
jer
[1] http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2
