From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934987Ab1JETX5 (ORCPT ); Wed, 5 Oct 2011 15:23:57 -0400 Received: from filtteri5.pp.htv.fi ([213.243.153.188]:60030 "EHLO filtteri5.pp.htv.fi" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934402Ab1JETX4 (ORCPT ); Wed, 5 Oct 2011 15:23:56 -0400 Date: Wed, 5 Oct 2011 22:23:49 +0300 From: Adrian Bunk To: "Ted Ts'o" , "Frank Ch. Eigler" , Valdis.Kletnieks@vt.edu, "H. Peter Anvin" , "Rafael J. Wysocki" , Linux Kernel Mailing List , Greg KH Subject: Re: kernel.org status: establishing a PGP web of trust Message-ID: <20111005192349.GA14406@localhost.pp.htv.fi> References: <201110021354.57995.rjw@sisk.pl> <4E88A537.4010008@zytor.com> <20111003093239.GB25136@localhost.pp.htv.fi> <20111003180441.GD3072@localhost.pp.htv.fi> <34045.1317760188@turing-police.cc.vt.edu> <20111004223932.GA3460@localhost.pp.htv.fi> <20111004231730.GB17089@redhat.com> <20111005075438.GA29441@localhost.pp.htv.fi> <20111005170616.GD4297@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20111005170616.GD4297@thunk.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 05, 2011 at 01:06:16PM -0400, Ted Ts'o wrote: > On Wed, Oct 05, 2011 at 10:54:39AM +0300, Adrian Bunk wrote: > > > > What policy is now used at kernel.org now is exactly the question > > I asked in [1], and where I'm still waiting for an answer from hpa. > > > > Other organizations like Debian have a clear and public policy on > > what is required for the user identification part for uploading to > > the archive [2], and I expect the same for kernel.org. > > Peter has already said "are you prepared to swear in court". > Government issued ID is one way (although any US high school student > knows how easy it is to get fake ID); personal knowledge of someone's > speach patterns plus common history generated by years of talking to > that person at conferences and/or concalls, is another way. > > When I bootstrapped Linus's key, he and I talked on the phone, and I > knew him well enough by our conversation my recognizing his speach > patterns that I was prepared to certify his key even though I've never > seen his government ID. That being said, I also know and trust Jim > Zemlin well enough to know trust that the person employed by the Linux > Foundation had his ID and right to work checked per US employment law, > and and that the person I talked to was the same person who is > employed by the Linux Foundation. Realistically, I'm far more sure of > Linus's identity than I would be of some random Debian developer who > got his key signed after some quick impromptu verification of what > appeared to be a governement-issued ID at some conference. :-) That was not what I was talking about in the email you are answering to. Let me paraphrase my question: "Whose signatures do I need on my key so that it will be accepted at kernel.org?" With that information I can check if one email to a few local people to have a local keysigning is enough. Or if I have to bother Linus to meet me and sign my key the next time he is here in Helsinki. > - Ted cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed