pqm at canonical.com key needs a new email, and some signatures
Martin Pool
mbp at sourcefrog.net
Tue May 9 12:36:45 BST 2006
On 9 May 2006, Robert Collins <robertc at robertcollins.net> wrote:
> On Tue, 2006-05-09 at 21:26 +1000, Martin Pool wrote:
> >
> > Which means, "make a local signature that won't be exported/uploaded".
> > But that means each person must individually make sure they have the
> > right one. What's wrong with making a regular untrusted signature?
>
> well, I need to read up on the new transitive trust stuff in GPG. Until
> that existed, there was *no* trust metric published with a signature.
>
> Even with that existing, and the ability to export the trust, a
> signature still asserts that you have verified the identity of the
> person that can make signatures with that key....
>
> And I'm *really* hoping you haven't managed to do that :)
OK, so "lsign" means "I'm not really sure, but I'm prepared to assume
it's the right person", whereas "sign" is "I declare to the world at
large this is the right person". For the person signing the effect is
the same.
So, really, if Robert created the key and knows its the one being used,
he should publish a signature. Others can sign it if they're convinced
it's the right one.
--
Martin
More information about the bazaar
mailing list