On Sunday 28 October 2007 23:15, Erik Abele wrote: > As BenL always says: "I don't give a shit about some random document, > that could be faked anyway. All I care about is the email address > connected to the key I intend to sign - is it really the address of > the person in question?".
Ok, and if you don't know the individual in person, you put the trust in a "Driver's license" or similar... but doesn't really care how that 'trust' was established. I must be plain dumb, but I don't "get" why this provides any comfort to end-users, even if they manage to figure out what to do with the .ASCs (I bet a very small percentage do). And that is why I am asking for better tooling. > See also http://wiki.apache.org/apachecon/PgpKeySigning Ok, it shows half the picture; How to sign the keys are left out... > > as well as tooling support for verifications. > http://httpd.apache.org/dev/verification.html Uhhhh, we probably have more than a million users. Do we expect them all to get a hook into the WOT ?? IMHO, there is something wrong with that picture... Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and the MD5 of download??) and get a "Authenticated" or not response be done?? If that is too hard to automate, I don't think we ever will see any increase in user awareness. The process on the above page is beyond most users' imagination. Cheers Niclas --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]