On Fri, Sep 5, 2008 at 2:08 PM, Todd Zullinger <tmz@xxxxxxxxx> wrote: > This would be excellent. (Though I would hate to ask Jesse to do any > more work at this time. :) Ah there's the rub. You want him to sign it..but you don't want to ask him to sign it. You want someone like me to order him to sign it. Check that list of signatories again for the old key at pgp.mit.edu. Did Jesse ever sign the old key? If the answer was no... and you trusted that key before...did you really need Jesse to sign the new one to trust it now? Tell me the name of the one person everyone is going to trust when they sign the key. Is everyone going to trust Jesse? Really? Everyone? If that were so, I think Jesse would have been the first suggestion....not livna. > Most of them, no. In fact, those that have signed this key are folks > whose signatures now hold less weight with me since they were willing > to sign a key that they could not possibly have done much meaningful > verification on. How do you KNOW they didn't do any meaningful verification on it? How do you KNOW that anyone does meaningful verification on any key before they sign it? In the case of the original fedora signing key did you call up each of those individuals and ask them? You have no idea if they did or did not verify the key adequately. In fact you will have a very hard time getting people to agree on what adequately means for a signing key that is not attached to a human identity. Until you ask them why they were comfortable signing the key you don't know if those individuals are less trustworthy or not..and even then you have to trust their answers. To trust any signature on any key you must make assumptions on the actions of others. What's even funnier is that you just admitted that the case of the Fedora signing key your assumptions concerning other people's actions decrease overall trust. Which is the exact opposite of what you want! You want people to sign the key to increase trust..but you just stated that having lots of people sign the previous key..means you assume they didn't do it right and that you decrease trust in them instead of increasing trust in the key. MADNESS. You just admitted that the signing key is treated differently than a normal gpg key because its not attached to an identity. And that's sort of the point. The web-of-trust concept does not equally apply to keys which are not strongly attached to a verifiable human identity. The web-of-trust is illusionary for keys that are not strongly attached to human identities. -jef -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines