lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 5 Oct 2011 13:06:16 -0400
From:	Ted Ts'o <tytso@....edu>
To:	Adrian Bunk <bunk@...sta.de>
Cc:	"Frank Ch. Eigler" <fche@...hat.com>, Valdis.Kletnieks@...edu,
	"H. Peter Anvin" <hpa@...or.com>,
	"Rafael J. Wysocki" <rjw@...k.pl>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Greg KH <gregkh@...e.de>
Subject: Re: kernel.org status: establishing a PGP web of trust

On Wed, Oct 05, 2011 at 10:54:39AM +0300, Adrian Bunk wrote:
> 
> What policy is now used at kernel.org now is exactly the question
> I asked in [1], and where I'm still waiting for an answer from hpa.
> 
> Other organizations like Debian have a clear and public policy on 
> what is required for the user identification part for uploading to
> the archive [2], and I expect the same for kernel.org.

Peter has already said "are you prepared to swear in court".
Government issued ID is one way (although any US high school student
knows how easy it is to get fake ID); personal knowledge of someone's
speach patterns plus common history generated by years of talking to
that person at conferences and/or concalls, is another way.

When I bootstrapped Linus's key, he and I talked on the phone, and I
knew him well enough by our conversation my recognizing his speach
patterns that I was prepared to certify his key even though I've never
seen his government ID.  That being said, I also know and trust Jim
Zemlin well enough to know trust that the person employed by the Linux
Foundation had his ID and right to work checked per US employment law,
and and that the person I talked to was the same person who is
employed by the Linux Foundation.  Realistically, I'm far more sure of
Linus's identity than I would be of some random Debian developer who
got his key signed after some quick impromptu verification of what
appeared to be a governement-issued ID at some conference.  :-)

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ