www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ask Bjoern Hansen <...@perl.org>
Subject Re: establish a trust relationship (Re: missing signatures)
Date Fri, 26 Sep 2003 05:07:16 GMT
On Wed, 24 Sep 2003, Joshua Slive wrote:

> A chain of trust can have more than one link.  Assuming there is someone
> in Japan who has once been to a country with an ASF member, geography need
> not be a barrier.

Eh, there are many other reasonable ways to establish a chain of
trust than a personal meeting.  In some contexts they might even be
superior.

Some combination of the following would be as hard to attack as
pretending to be someone else in a personal meeting:

I mostly know you as the guy who sends mail from joshua@slive.ca.
You send me your key signature from that address; I respond with a
token and you send the token back.  Maybe afterwards I wait a month
or two and follow your use of that email address.  If you keep
sending useful patches to similar things as you've done in the past,
that's a good indication.

We have postal addresses of ASF members on file.  Tokens and key
signatures can be sent back and forth via postal mail.

Likewise for telephone numbers; figuring out a time to make two
calls across the world should be feasible.

Some people include their key signature in all their mails.


 - ask

-- 
http://www.askbjoernhansen.com/ - http://develooper.com/



---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message