Re: Migrating to GPG - A mini-HOWTO
Paul Slootman <paul@wau.mis.ah.nl> writes:
> On Wed 15 Sep 1999, Philip Hands wrote:
> >
> > I know there is some pathetic kudos about how many signatures you have
>
> Is the "pathetic" part the reason why you don't have any? :-)
Ah, I'd not updated my key in the keyring since I joined. Well not
until last week that is, you'll find a few signatures on my keys in
debian-keyring_1999.09.12_all.deb
No the "pathetic" part is that people seem to be more worried about
the number, rather than the quality of the signatures.
Not that it matters, but my PGP key is currently signed by 6 people
(all of whom have seen me and my passport when I gave them my
fingerprint) and my GPG key is signed by two people (on the same
basis) as well as being signed by both my GPG and PGP keys.
As long as we don't adopt the ``sign by mail'' approach, the
combination of these two signatures and my own PGP signature on the
new GPG key should be sufficient to prove that it's not an identity
hijack in progress. If however we accept the ``sign by mail'' idea
those two signatures might prove nothing more than the foolishness of
the signers.
I really see no point in trying to persuade my other PGP signers to
sign my GPG key on the strength of an e-mail. If I succeeded in doing
so it would simply prove that that person was willing to sign keys on
insufficient evidence, and as such that they should be removed from
our web of trust.
Cheers, Phil.
Reply to: