pqm at canonical.com key needs a new email, and some signatures
Martin Pool
mbp at canonical.com
Thu May 11 02:13:13 BST 2006
On 10 May 2006, John A Meinel <john at arbash-meinel.com> wrote:
> I realize gpg the software doesn't care. I'm just trying to play nice
> with the gpg fanatics.
>
> I think it is a tool, and I can use it the best I see how. But I realize
> people have put a lot more faith in it, and since it is their baby, I'll
> let them influence my use patterns.
If you strictly insist on signing only people's government-approved
keys, then it's impossible to sign keys corresponding to machines or
roles. And yet such things are quite useful for cases such as pqm.
> I think a definite weakness in the web of trust is how to handle people
> that aren't as strict as other people about whose keys they sign. If you
> were legally integrated into the WoT (say by a bunch of keysigning
> parties), and then went out and signed 100's of bogus keys, which signed
> eachother, etc. Is there some way to disavow that sub-web?
Well, everyone else can go through and set the trust for the crazy
signer to 'not trusted'. Traditional pgp didn't provide any mechanism
afaik to publicise your trust or lack of trust in a person's judgement,
as opposed to their identity. I see gpg now has
tsign
Make a trust signature. This is a signature that combines the
notions of certification (like a regular signature), and trust (like the
"trust" command). It is generally only useful in distinct communities or
groups.
--
Martin
More information about the bazaar
mailing list