[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the DAMs

* martin f. krafft:

> key management still requires some sort of professionalism. Just
> creating a key and signing it isn't the entire game; 

I disagree.  Even Verisign claims it isn't liable for its certificate.
In this case, the only response to a bad signing key is to remove it
from your APT installation.  No elaborate framework of certifying keys
is going to change that.

> users need multiple ways to verify the key until the trust level
> meets their requirements. Right now, one single method exists, and
> its weak.

There are at least two.

Reply to: