Re: GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, Apr 01, 2007 at 10:16:10PM -0400, cga2000 wrote:
> On Sun, Apr 01, 2007 at 08:32:19PM EDT, Michael Pobega wrote:
> > On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote:
> > > Michael Pobega writes:
> > > > Is it a bad practice to verify keyrings of people on the mailing list, or
> > > > is it better to wait until I meet up with some of them at say Debconf or
> > > > something similar?
> > >
> > > Depends on what you mean by "verify". There is nothing wrong with
> > > downloading their public keys and using them to verify that all the
> > > messages purporting to come from them are indeed signed with the same key
> > > and so probably did come from the same person. However, you should not
> > > sign someone's key unless you have met them, interviewed them, and examined
> > > and verified their credentials.
> > >
> > What exactly is signing a key, and how does it work?
> > I'd Google it...but I wouldn't know where to start.
> When I can't think of the right keywords to google for straight answers
> I usually enter "wiki subject" (with a few variations) on the "advanced
> search" screen until I pull out stuff that looks vaguely promising ..
> read a few articles .. follow a few links .. etc. try to acquire a bit
> of background .. jot down a few buzzwords .. then get back to google
> with a better idea what I'm looking for .. start over .. etc.
> Not a magic bullet .. time-consuming .. but in my case this approach
> has proved fairly helpful so far.
Now I'm afraid.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----