Anne Wilson wrote: > Exactly. In this case there were all the appropriate checks, but > all you can see is a list of names, and I suppose you can check that > those names are ones you have reason to trust, but that's all, and > it's a bit vague. Doesn't it go without saying that each person should only trust people that they, well, trust? :) > Absolutely. It would help if the action of signing included some > information about the act, such as whether it was carried out at a > LUG, Conference, or some other organisation, so you could come to > some decision about its reliability, but there is no such thing. Actually, there is a way to make such notes (though that still won't mean much to anyone that doesn't already trust you to make decent signatures). You can include notations when you sign/certify a key. You can also include a certification policy URL. These can be displayed in gpg with the show-notations and show-policy-urls list options. For example, on keys I've signed in the past few years, I added a policy URL. The results look a bit like this: $ gpg --list-options 'show-policy-urls' --list-sigs silfreed pub 1024D/ED00D312 2000-06-21 uid Douglas E. Warner <silfreed@...> sig 3 ED00D312 2005-11-02 Douglas E. Warner <silfreed@...> sig 2 P BEAF0CE3 2006-08-07 Todd M. Zullinger <tmz@...> Signature policy: http://www.pobox.com/~tmz/pgp/cert-policy.asc [...] I don't intend for that to make anyone trust my signatures unless they know a bit about me, of course. But I do try to be a good example and let those who may trust me know just what I mean when they see a signature from me on a key. Both notations and cert policy URLS may contain some data that is unique to a particular signature. Strings such as %k, %K, and %f will be expanded to the short key id, long key id, and fingerprint of the key being signed, respectively. That way, you could make the notation or policy URL point to a page for each signature. There you could include such details as where you met, what information you exchanged, etc. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hard work never killed anybody, but why take a chance? -- Charlie McCarthy
Attachment:
pgpItXuBVZxIT.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines