On Mon, 2003-02-03 at 22:35, Curt Sampson wrote: > 2. Do I trust him to take care of his own key and be careful signing > other keys? > > 3. Do I trust his opinion that the postgres release-signing key that > he signed is indeed valid? > > 4. Do I trust the holder of the postgres release-signing key to have > taken care of the key and have been careful about signing releases > with it? >
Sorry to respond again, however, I did want to point out, signing a key does not have to imply an absolute level of trust of the signer. There are several trust levels. For example, if we validated keys via phone and mail, I would absolutely not absolutely trust the key I'm signing. However, if I had four people which mostly trusted the signed key and one or two which absolutely trusted the signed key whom I absolutely trust, then it's a fairly safe bet I too can trust the key. Again, this all comes back to building a healthy web of trust. Surely there are a couple of key developers whom would be willing to sign each other's keys and have previously met before. Surely this would be the basis for phone validation. Then, of course, there is 'ol snail-mail route too. Of course, nothing beats meeting in person having valid ID and fingerprints "in hand." ;) Regards, -- Greg Copeland <[EMAIL PROTECTED]> Copeland Computer Consulting ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org
