Re: Where shoud I put my public key?

[Matthew Palmer <mpalmer@debian.org>]

On Mon, Mar 15, 2004 at 07:37:24PM -0800, Number Six wrote:
> >   gpg --keyserver pgp.mit.edu --send-key mbrubeck@cs.hmc.edu
> 
> Okay, I did that.  Is there a canonical-Debian way to point the world 
> there to verify it?  So they'll actually trust the .dsc?
> 
> Or do I just do that in an out-of-band way such as the Readme or 
> Changelog?

If there's a signature on something, usually the first place someone will
look will be the key network (and keyring.debian.org, for Debian stuff, if
they're familiar with it).

So now your key's there, that's that sorted.  But nobody knows you from a
bar of soap.  We don't have any trust that the key that signed those files
belongs to the person it says it does.  So you need to get identity
verifying signatures added to your key.  Until then, the key is effectively
useless for verification purposes, except to say that a package that I
download today is signed by the same key it was whenever I last downloaded
one of your packages.  That is of limited usefulness.

Have a google around for key signing and key signing parties, and get
yourself into the web of trust.  That's the number 1 best way to "bootstrap
yourself in".

- Matt