On Tue, Aug 13, 2013 at 11:01:02AM +1000, Brian May wrote:
For that matter, would anyone here object to signing the following key for me? If so, why? If not, why not?
Brian Mays <brian@debian.org>
http://web.archive.org/web/20070406152603/http://blog.madduck.net/geek/2006.... During one of Debian's KSP (Oaxtepec, Mexico) a DD printed and used his own ID issued by the Transnational Republic. I and a few folks noticed it. See webpage above. It caused a huge mail thread. See it at the web address below. http://lists.debian.org/debian-devel/2006/05/msg01615.html
Do a Google search, if lucky you may find that I use to be responsible for PCMCIA in Debian, but run out of time, so now other people have taken over. Yes, I am definitely a Debian developer too. That email address is a valid email address too (Google can prove this).
Most people signing wouldn't bother checking details like this with Google.
To avoid the problem of Brian May (May != Mays) submitting Brian Mays' public key for a KSP, we request the public key signed with the same key. See the instructions for the annual Debian KSP at the webpage below. http://people.debian.org/~anibal/ksp-dc13/ksp-dc13.html It allows to check who use SHA2 in preference to SHA1 for signatures. In Debian we have been moving away from 1K DSA keys as the primary keys with SHA1 as the preferred hash to 4K (at least 2K) RSA keys with strong SHA2 signatures. BTW, to use SHA2 in preference to SHA1 add at the end of ~/.gnupg/gpg.conf: personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed If you use caff [1] for signing keys you will also need to add these lines to ~/.caff/gnupghome/gpg.conf as well, otherwise your signatures will be SHA1. [1] http://pgp-tools.alioth.debian.org/