Gentoo Archives: gentoo-security

From: Matthias Bethke <matthias@×××××××.de>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] gpg keys; GSWoT & PGP Global Directory Key
Date: Tue, 01 Apr 2008 15:43:31
Message-Id: 20080401154226.GB10755@aldous
In Reply to: [gentoo-security] gpg keys; GSWoT & PGP Global Directory Key by Eric Martin
Hi Eric,
on Fri, Mar 28, 2008 at 03:13:43PM -0400, you wrote:
> I'm seeing a bunch of keys in my keyring with GSWoT(1) and PGP Global > Directory(2) signatures on them. Obviously both websites encourage you > to download their keys and trust them. While I realize what keys you > trust is totally up to you, I'm wondering what fellow people do. My > idea was to /maybe/ add them in as moderates that way they don't run my > keyring for me, but still vouch for people where necessary.
As far as I can see, the PGP Global Directory does no verification apart from checking that an email address exists, so its signature isn't worth much for the WoT. The GSWoT signatures on the other hand mean the owner of the key has been personally checked by an introducer. It's a matter of taste but I usually don't sign role account keys, I think they should be signed by members of the institution (the introducers in this case) whom I can choose to trust because their identity can be verified. So as I wanted to trust the GSWoT key, I just imported some intermediate keys to build a couple of marginal trust paths via people I've met personally. cheers, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665


Subject Author
Re: [gentoo-security] gpg keys; GSWoT & PGP Global Directory Key Eric Martin <freak4uxxx@×××××.com>
Re: [gentoo-security] gpg keys; GSWoT & PGP Global Directory Key Randy Barlow <randy@×××××××××××××××××.com>