Web of Trust (a revolution)

[Anne Wilson]

On Monday 30 March 2009 08:28:12 Stanisław T. Findeisen wrote:
> Mikkel L. Ellertson wrote:
> > Let me see - The Gnupg package is included with Fedora. RPMs are
> > signed with a GPG key - each version has its own key. The extra
> > repositories have their own keys. When their was a possibility that
> > the keys had been compromised, new keys were issued. It is not like
> > Fedora isn't already using gpg...
> >
> > About the only change I can see would be signing the files needed to
> > do a network install...
>
> I was talking about the community more, than about the repos. Is GnuPG
> widely used in the community? How about the people from M$ world?
>
> Again: promoting GnuPG would promote:
> * GNU
> * free software
> * security and authenticity
> * bazaar model
> * mutual trust
> all at the same time.
>
> Maybe that would be better than to sit and wait for Microsoft/whatever
> to sell everybody his X.509.... Wide use of encryption/digital
> signatures will come sooner or later, I guess.
>
If you examine my key you will see that it is signed by a number of people who 
have properly verified that I am who I say I am.  This is essential for the 
web of trust to work, but frankly it is not understood by many people, and 
I've seen conversations where people will sign anyone's key.  The whole web of 
trust falls apart when this happens.

Since the criteria for correct verification is very precise, I can't see most 
people getting their keys signed, and without that, the point of using a key 
is very limited.

Anne
-- 
New to KDE4? - get help from http://userbase.kde.org
Just found a cool new feature?  Add it to UserBase
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090330/457a6f05/attachment-0001.sig>