[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: certification of signatures



Tim wrote:
> I'm curious about why you'd need to do it with a local key.

Not a local key, a local, non-exportable signature, as opposed to an
exportable signature, which is what gpg creates by default.

You don't "need" to use local signature, but I feel it is preferable
(especially when giving advice to folks that might not spend much time
reading on the nuances of GPG).

The reason I consider it preferable is that it prevents new users from
signing the fedora key with a typical, exportable signature which they
can easily leak to a keyserver┬╣ and cost themselves some credibility
as a key signer.  It costs credibility, IMO, because I know that there
is practically no way for those folks to have done the sort of
verification of the fedora key worthy of adding their signature to the
key.

My advice is that if someone feels the need to sign the fedora key to
make the warnings go away, they should use a local, non-exportable
signature (gpg's --lsign option).  It's also well worth considering
whether they need to sign the fedora key at all. :)

┬╣ Like this:
  http://keys.gnupg.net:11371/pks/lookup?op=vindex&search=0xB44269D04F2A6FD2

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Despite the high cost of living, it remains a popular item.

Attachment: pgpfX8U54c6LP.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]