On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote:
Michael Pobega writes:> Is it a bad practice to verify keyrings of people on the mailing list, > or> is it better to wait until I meet up with some of them at say Debconf or > something similar? Depends on what you mean by "verify". There is nothing wrong with downloading their public keys and using them to verify that all the messages purporting to come from them are indeed signed with the same key and so probably did come from the same person. However, you should notsign someone's key unless you have met them, interviewed them, and examinedand verified their credentials.
What exactly is signing a key, and how does it work? I'd Google it...but I wouldn't know where to start. ----------------------------------------------------------------While we're still on this, why do most of your (Debian-users-who-sign) emails show up in OE with the signature and the email text as attachments? It seems whether I use GPG or a Thawte cert, they still don't show up as attachments. Are you doing something "special" to make them show up that way, and I assume there's something desirable about doing it that way - please tell me. Makes it hostile to REPLY TO, at least with OE. I suppose the problem is with OE, but I'd still like to understand what's happening. THANKS! - John