pqm at canonical.com key needs a new email, and some signatures

Martin Pool mbp at canonical.com
Wed May 10 03:45:04 BST 2006

On  9 May 2006, John A Meinel <john at arbash-meinel.com> wrote:

> Well, we still need it to have 'pqm at pqm.ubuntu.com'.

Robert, can you fix that please?

> My understanding of 'lsign' is that it is 'local sign', meaning you will
> sign it, but won't ever upload your signature to a keyserver.

I think that's correct.

> Most clients use a trust model of "if enough people that I trust have
> signed that key, then I will trust that key". Which doesn't have a
> concept of how much the other people trust the key, just that they
> signed it.
> I would like to be able to trust the pqm because Martin, Robert, James,
> and Aaron all trust it, without having to go out and sign it myself.

Yes, I agree.

> I really think there are benefits to having the pqm's key signed by
> others. But I don't know what the gpg world's idea is, since it seems to
> only want to claim a physical document => digital signature connection.
> (Verifying passports and drivers licenses is all good, except that still
> doesn't confirm the person, just a couple of documents => digital key).

GPG the software doesn't care.  Common practice is to check government
issued ids, but it doesn't have to be so -- a typical case is someone
who is commonly known by a name that is not their legal name.  It is up
to each signer what criteria *they* think are convincing, and then up to
other people to decide whether they trust the signer to apply good
criteria consistently.

In other words you can sign it to say "I am convinced that this private
key is the one that signs bzr.dev commits."


More information about the bazaar mailing list