Re: GPG and Signing
On Sun, Apr 01, 2007 at 08:32:19PM EDT, Michael Pobega wrote:
> On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote:
> > Michael Pobega writes:
> > > Is it a bad practice to verify keyrings of people on the mailing list, or
> > > is it better to wait until I meet up with some of them at say Debconf or
> > > something similar?
> >
> > Depends on what you mean by "verify". There is nothing wrong with
> > downloading their public keys and using them to verify that all the
> > messages purporting to come from them are indeed signed with the same key
> > and so probably did come from the same person. However, you should not
> > sign someone's key unless you have met them, interviewed them, and examined
> > and verified their credentials.
> >
>
> What exactly is signing a key, and how does it work?
>
> I'd Google it...but I wouldn't know where to start.
When I can't think of the right keywords to google for straight answers
I usually enter "wiki subject" (with a few variations) on the "advanced
search" screen until I pull out stuff that looks vaguely promising ..
read a few articles .. follow a few links .. etc. try to acquire a bit
of background .. jot down a few buzzwords .. then get back to google
with a better idea what I'm looking for .. start over .. etc.
Not a magic bullet .. time-consuming .. but in my case this approach
has proved fairly helpful so far.
HTH
Thanks,
cga
Reply to: