From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q6x5Q-0003mQ-Dk for garchives@archives.gentoo.org; Tue, 05 Apr 2011 03:37:52 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9930E1C02E; Tue, 5 Apr 2011 03:37:35 +0000 (UTC) Received: from smtp-vbr19.xs4all.nl (smtp-vbr19.xs4all.nl [194.109.24.39]) by pigeon.gentoo.org (Postfix) with ESMTP id 583051C022 for ; Tue, 5 Apr 2011 03:36:56 +0000 (UTC) Received: from epia.jer-c2.orkz.net (D4B2706A.static.ziggozakelijk.nl [212.178.112.106]) (authenticated bits=0) by smtp-vbr19.xs4all.nl (8.13.8/8.13.8) with ESMTP id p353arJQ070487 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 5 Apr 2011 05:36:55 +0200 (CEST) (envelope-from jer@gentoo.org) Date: Tue, 5 Apr 2011 05:36:52 +0200 From: Jeroen Roovers To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: rejecting unsigned commits Message-ID: <20110405053652.02fc538e@epia.jer-c2.orkz.net> In-Reply-To: <201103251044.37611.dilfridge@gentoo.org> References: <201103250953.19757.dilfridge@gentoo.org> <20110325091100.GA5313@lemongrass.antoszka.pl> <201103251044.37611.dilfridge@gentoo.org> X-Mailer: Claws Mail 3.7.8 (GTK+ 2.22.1; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by XS4ALL Virus Scanner X-Archives-Salt: X-Archives-Hash: f75de9682b503280335827fc7760e488 On Fri, 25 Mar 2011 10:44:31 +0100 "Andreas K. Huettel" wrote: > * the signature proves the key belongs to the e-mail address, nothing > else Anyone could generate a signature with one of my @g.o e-mail addresses in it, then pass themselves off as myself, right? If they then trick you into thinking that I sent the mail you received, signed with their key, they're all set. Having the "right" e-mail address in the key would not improve anything. > * the e-mail address is given to the owner of the key during > recruitment It's been a while, but I am certain I did not have a @gentoo.org address yet _during_ recruitment, and I was instead asked to provide an address that I _did_ already use. It looks like that still has not changed.[1] Looking at the e-mail from that time, it seems I had been asked to sign my SSH key with it and send it to recruiters@. jer [1] http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2