On Mon, Feb 22, 2016 at 07:47:51PM +0000, Gregory Maxwell wrote: > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > My point was that you can get the signatures off the key from the > > keyserver and see if any of them are someone you trust. If not, are > > they connected to someone you trust (hey, look, web of trust). I think > > expanding the web of trust on the signatories of the keys would help > > more than just trying to distribute the key fingerprint "lots of > > places". > > They key itself should come with signatures. That it doesn't is weird > and inconvenient. If it came with a single signature by a long lived > key used for the purpose of authenticating keys, it would go a log > way. Some older Fedora signing keys were signed by prominent Fedora persons (up to F12 or so). If one has been to at least one Fedora key signing party and has a WOT connection to one of thos persons, using the WOT is the best ways to verify the keys one downloads from the web. It would be great if we could resurrect this practice and have one or more RelEng members and the Fedora Project Leader sign the Fedora PGP keys and upload their signatures to public keyservers. Signature chaining (F24 key signed by F23, etc..) would also be helpful. Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx