Re: PGP signing releases

On Mon, 2003-02-03 at 22:35, Curt Sampson wrote:
> 2. Do I trust him to take care of his own key and be careful signing
> other keys?
>
> 3. Do I trust his opinion that the postgres release-signing key that
> he signed is indeed valid?
>
> 4. Do I trust the holder of the postgres release-signing key to have
> taken care of the key and have been careful about signing releases
> with it?
>

Sorry to respond again, however, I did want to point out, signing a key
does not have to imply an absolute level of trust of the signer. There
are several trust levels. For example, if we validated keys via phone
and mail, I would absolutely not absolutely trust the key I'm signing.
However, if I had four people which mostly trusted the signed key and
one or two which absolutely trusted the signed key whom I absolutely
trust, then it's a fairly safe bet I too can trust the key. Again, this
all comes back to building a healthy web of trust.

Surely there are a couple of key developers whom would be willing to
sign each other's keys and have previously met before. Surely this
would be the basis for phone validation. Then, of course, there is 'ol
snail-mail route too. Of course, nothing beats meeting in person having
valid ID and fingerprints "in hand." ;)

Regards,

--
Greg Copeland <greg(at)copelandconsulting(dot)net>
Copeland Computer Consulting