pqm at canonical.com key needs a new email, and some signatures

John A Meinel john at arbash-meinel.com
Tue May 9 15:08:03 BST 2006 

Martin Pool wrote:
> On  9 May 2006, Robert Collins <robertc at robertcollins.net> wrote:
>> On Tue, 2006-05-09 at 21:26 +1000, Martin Pool wrote:
>>> Which means, "make a local signature that won't be exported/uploaded".
>>> But that means each person must individually make sure they have the
>>> right one.  What's wrong with making a regular untrusted signature?
>> well, I need to read up on the new transitive trust stuff in GPG. Until
>> that existed, there was *no* trust metric published with a signature.
>>
>> Even with that existing, and the ability to export the trust, a
>> signature still asserts that you have verified the identity of the
>> person that can make signatures with that key....
>>
>> And I'm *really* hoping you haven't managed to do that :)
> 
> OK, so "lsign" means "I'm not really sure, but I'm prepared to assume
> it's the right person", whereas "sign" is "I declare to the world at
> large this is the right person".  For the person signing the effect is
> the same.
> 
> So, really, if Robert created the key and knows its the one being used,
> he should publish a signature.  Others can sign it if they're convinced
> it's the right one.
> 

Well, we still need it to have 'pqm at pqm.ubuntu.com'.
My understanding of 'lsign' is that it is 'local sign', meaning you will
sign it, but won't ever upload your signature to a keyserver.

Most clients use a trust model of "if enough people that I trust have
signed that key, then I will trust that key". Which doesn't have a
concept of how much the other people trust the key, just that they
signed it.

I would like to be able to trust the pqm because Martin, Robert, James,
and Aaron all trust it, without having to go out and sign it myself.

I really think there are benefits to having the pqm's key signed by
others. But I don't know what the gpg world's idea is, since it seems to
only want to claim a physical document => digital signature connection.
(Verifying passports and drivers licenses is all good, except that still
doesn't confirm the person, just a couple of documents => digital key).

Anyway, I can lsign the key, but I really want to get at least
'pqm at pqm.ubuntu.com' added to the key.
Otherwise no form of trust matters, since the user doesn't match the
committer.

John
=:->

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060509/e43a746f/attachment.pgp

More information about the bazaar mailing list