Jeff, please excuse me if I'm taking too much out of context from your mail. Jeff Spaleta wrote: > GPG keysigning events typically involve face-to-face meetings with > some form of official documentation (drivers licenses AND passports > typically) which people agree to trust. Those identification documents > are crucial elements of GPG signing events... they form a baseline > expectation that you are who you say you are. You can't do that sort > of thing with the fedora signing key. You can't meet face-to-face to > verify its identity, you can't get government issued ID which form the > baseline for trust (assuming the ID is of course not falsified). It is quite true that the Fedora key cannot be verified by most of us in the same way that we could verify the key of an individual. But... > At best we could maybe get the release engineering people who have > direct access to the key to create detached signatures, because they > perhaps the only people who do not have to be transmitted the key in > order to sign it. This would be excellent. (Though I would hate to ask Jesse to do any more work at this time. :) > But now you are left with the problem of trusting their personal > keys. Are those people in your web of trust? Yes. From FUDCon Raleigh, I'm a hop away from Jesse's key, as it is signed by Matt Domsch, whom I traded signatures with. That wasn't very hard, and I don't even consider myself to be all that well connected. :) > Are you going to meet face to face with them and exchange key > signatures? Where possible, definitely. It's a nice excuse to meet some new people and chat a little about geekery. > If rpm's key management doesn't handle signed keys..how do you know > to trust their keys which signed the signature. Very simple: by using gpg to look at the signatures on a key before importing it. This is precisely how https://fedoraproject.org/keys explains how to verify a key. > And on and on....all of it outside of the band of rpm. And that's perfectly fine. Yes, it means that it isn't the sole method that all users will use to establish trust in the new keys, but it also isn't a method that takes much time at all (I refer only to having Jesse and other rel-eng folks that were involved in generating the key signing it, not having some other repository's key sign it). > You can take a look at the existing Fedora Project key at > pgp.mit.edu's search. It's been signed by 3rd parties. So some > individuals have signed the key. Do you trust them? Most of them, no. In fact, those that have signed this key are folks whose signatures now hold less weight with me since they were willing to sign a key that they could not possibly have done much meaningful verification on. > -jef"I should go ahead and sign the old key now, just because it > doesn't matter"spaleta Hopefully you understand gpg a little better than that and know that signing a key you can't have verified just devalues the weight of your signatures. ;) And, just so it doesn't seem like I'm suggesting we require this as part of the new key release plan, I must say that I do find publishing the key's fingerprint at https://fedoraproject.org/keys to be enough for me to establish trust in it. Adding a sig on the public key servers from Jesse (and/or other rel-eng folks with access to it) would simply be a nice bonus. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I expected times like this -- but never thought they'd be so bad, so long, and so frequent. -- Demotivators (www.despair.com)
Attachment:
pgpjQf0L45i1V.pgp
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines