#296: Provide a way to verify the pgp keys (web of trust)
-------------------------+------------------------
Reporter: genodeftest | Owner: webmaster
Type: defect | Status: new
Priority: major | Milestone:
Component: General | Resolution:
Keywords: | Blocked By:
Blocking: |
-------------------------+------------------------
Comment (by tmz):
This has come up before, I believe on the websites or rel-eng list. The
Fedora signing keys are role keys. The only real person in a position to
sign the key with meaning is the person who generated it. Others who have
signed the key almost certainly could not have done any proper
verification of the key, and thus their signatures do nothing more than
devalue that individuals signature(s) on other keys (as their signing
policies are weak).
The trust path, IMO, is that the keys are served up via SSL/TLS from
Fedora's official site. All trust starts somewhere, and this is where I
think trust for role keys like Fedora's signing keys should start (and
end, personally; but others are free to sign the key as a way of letting
me know that they sign things they should not sign ;).
--
Ticket URL: <https://fedorahosted.org/fedora-websites/ticket/296#comment:2>
fedora-websites <https://fedoraproject.org/wiki/Websites>
Fedora Website Team's Trac instance
--
websites mailing list
websites@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/websites
