Today, when asking the GPG keyservers to send me my own keys, I was surprised to received them with up to 30 (THIRTY) new signatures.
(indeed, I was not surprised to get some...but I was surprised to get so many) As far as I understand, that means that many people seem to upload keys that they've signed directly to the keyserver. As far as I've followed the various discussion about keysigning, this is a very discouraged method as it doesn't check that the IDs and mail addresses you sign are controlled by the person whose key you want to sign. This is indeed why caff does not do this but rather sends the signed key back to the signed UID, in an encrypted mail. I'm very far from being in position to give lessons about keysigning (those of you who received signatures of mine several times during last days will know why...read my blog for details), but I deeply suggest *not* uploading signed keys back to keyservers. Of course, I'd like to thank the people who did so anyway for signing my keys but, please, next time....use caff to sign keys. It's nearly as simple as "apt-get install signing-party". This year, we improved the keysigning process in a nice way, but I suggest that next years, the keysigning initial meeting includes a demo about how to sign keys properly. I think that at least the *technical* way to do things (use caff) is widely accepted enough for a demo to be worth it. _______________________________________________ Debconf-discuss mailing list [email protected] http://lists.debconf.org/mailman/listinfo/debconf-discuss
