Re: Bits from the DAMs
* martin f. krafft:
> key management still requires some sort of professionalism. Just
> creating a key and signing it isn't the entire game;
I disagree. Even Verisign claims it isn't liable for its certificate.
In this case, the only response to a bad signing key is to remove it
from your APT installation. No elaborate framework of certifying keys
is going to change that.
> users need multiple ways to verify the key until the trust level
> meets their requirements. Right now, one single method exists, and
> its weak.
There are at least two.