Re: status: establishing a PGP web of trust

From: Valdis . Kletnieks
Date: Tue Oct 04 2011 - 16:30:36 EST

On Mon, 03 Oct 2011 21:04:41 +0300, Adrian Bunk said:
> On Mon, Oct 03, 2011 at 12:28:17PM -0400, Frank Ch. Eigler wrote:

> > What is the threat that this passport checking is intended to cure?
> > That someone else might have been impersonating Rafael for years,
> > sending patches, chatting in email and over the phone, and attending
> > conferences?
> Key signing is an identity check.

That's dodging the issue. Somehow, I don't see Andrew Morton asking Linus to
sign his key, and Linus saying "How do I know you're the *real* Andrew Morton?"
And Andrew is a clever guy, if he was a fake Andrew, I'm sure he'd have gotten
a fake ID that would be good enough to fool Linus, who is also a clever guy but
I'm not aware of any special background he has in forgery detection. ;)

The more important point is that as far as the linux-kernel community is
concerned, the guy we've all seen show up at conferences and present stuff all
these times *is* Andrew Morton, even if his real name is George Q. Smith and
he's been on the run for the last 27 years for an embarassing incident
involving an ostrich, the mayor's daughter, and 17 gallons of mineral oil in
the atrium of the museum. ;)

The ID check is to connect an actual person to the claimed key, and primarily
intended for key signing parties and the like, where people *don't* know each
other very well. I think there's something like 5 people on the linux-kernel
list who actually know me in real life, because I don't travel much and I'm
rather in the boonies. If I asked anybody *else* who I'd not met before to
sign my key, yes, I'd expect them to check my ID, to ensure I wasn't somebody
trying to pull a fast one at the keysigning party.

> > If so, perhaps the impostor is of more value to the
> > project than the Real Rafael.
> Pseudonymous contributions to the kernel are not allowed.

See above - whoever Andrew Morton *really* is, his contributions are hardly

Attachment: pgp00000.pgp
Description: PGP signature