Re: GPG and Signing
Michael Pobega writes:
> Is it a bad practice to verify keyrings of people on the mailing list, or
> is it better to wait until I meet up with some of them at say Debconf or
> something similar?
Depends on what you mean by "verify". There is nothing wrong with
downloading their public keys and using them to verify that all the
messages purporting to come from them are indeed signed with the same key
and so probably did come from the same person. However, you should not
sign someone's key unless you have met them, interviewed them, and examined
and verified their credentials.