certification of signatures
Todd Zullinger
tmz at pobox.com
Sat Oct 18 12:57:45 UTC 2008
Tim wrote:
> I'm curious about why you'd need to do it with a local key.
Not a local key, a local, non-exportable signature, as opposed to an
exportable signature, which is what gpg creates by default.
You don't "need" to use local signature, but I feel it is preferable
(especially when giving advice to folks that might not spend much time
reading on the nuances of GPG).
The reason I consider it preferable is that it prevents new users from
signing the fedora key with a typical, exportable signature which they
can easily leak to a keyserver¹ and cost themselves some credibility
as a key signer. It costs credibility, IMO, because I know that there
is practically no way for those folks to have done the sort of
verification of the fedora key worthy of adding their signature to the
key.
My advice is that if someone feels the need to sign the fedora key to
make the warnings go away, they should use a local, non-exportable
signature (gpg's --lsign option). It's also well worth considering
whether they need to sign the fedora key at all. :)
¹ Like this:
http://keys.gnupg.net:11371/pks/lookup?op=vindex&search=0xB44269D04F2A6FD2
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Despite the high cost of living, it remains a popular item.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20081018/de70c787/attachment-0001.sig>
More information about the fedora-list
mailing list