pqm at canonical.com key needs a new email, and some signatures

John A Meinel john at arbash-meinel.com
Wed May 10 16:43:52 BST 2006 

Martin Pool wrote:
> On  9 May 2006, John A Meinel <john at arbash-meinel.com> wrote:
> 
>> Well, we still need it to have 'pqm at pqm.ubuntu.com'.
> 
> Robert, can you fix that please?
> 
>> My understanding of 'lsign' is that it is 'local sign', meaning you will
>> sign it, but won't ever upload your signature to a keyserver.
> 
> I think that's correct.

...

>> I really think there are benefits to having the pqm's key signed by
>> others. But I don't know what the gpg world's idea is, since it seems to
>> only want to claim a physical document => digital signature connection.
>> (Verifying passports and drivers licenses is all good, except that still
>> doesn't confirm the person, just a couple of documents => digital key).
> 
> GPG the software doesn't care.  Common practice is to check government
> issued ids, but it doesn't have to be so -- a typical case is someone
> who is commonly known by a name that is not their legal name.  It is up
> to each signer what criteria *they* think are convincing, and then up to
> other people to decide whether they trust the signer to apply good
> criteria consistently.
> 
> In other words you can sign it to say "I am convinced that this private
> key is the one that signs bzr.dev commits."
> 

I realize gpg the software doesn't care. I'm just trying to play nice
with the gpg fanatics.

I think it is a tool, and I can use it the best I see how. But I realize
people have put a lot more faith in it, and since it is their baby, I'll
let them influence my use patterns.

I think a definite weakness in the web of trust is how to handle people
that aren't as strict as other people about whose keys they sign. If you
were legally integrated into the WoT (say by a bunch of keysigning
parties), and then went out and signed 100's of bogus keys, which signed
eachother, etc. Is there some way to disavow that sub-web?

John
=:->

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060510/bae064e5/attachment.pgp

More information about the bazaar mailing list