|
Home > Archive > Debian Developers > June 2007 > key sign
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
|
| Guilherme de S. Pastore 2007-06-27, 1:22 pm |
| Em Qua, 2007-06-27 Ã_s 19:28 +0330, Amin Shali escreveu:
> Hi 
> Can anyone please sign my key?
No.
Quoting http://www.debian.org/events/keysigning:
"You should never sign a key for somebody else you haven't met
personally. Signing a key based on anything other than first-hand
knowledge destroys the utility of the Web of Trust. If ones friend
presents other developers with your ID card and your fingerprint, but
you are not there to verify that the fingerprint belongs to you, what do
other developers have to link the fingerprint to the ID? They have only
the friend's word, and the other signatures on your key -- this is no
better than if they signed your key just because other people have
signed it!
"It is nice to get more signatures on ones key, and it is tempting to
cut a few corners along the way. But having trustworthy signatures is
more important than having many signatures, so it's very important that
we keep the keysigning process as pure as we can. Signing someone else's
key is an endorsement that you have first-hand evidence of the
keyholder's identity. If you sign it when you don't really mean it, the
Web of Trust can no longer be trusted."
If you want more information on how to get your key signed, you might
want to take a look at http://nm.debian.org/gpg.php
--
Guilherme de S. Pastore
gpastore@debian.org
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Kevin Mark 2007-06-28, 1:25 am |
| On Wed, Jun 27, 2007 at 01:04:30PM -0300, Guilherme de S. Pastore wrote:
> Em Qua, 2007-06-27 às 19:28 +0330, Amin Shali escreveu:
>
> No.
>
> Quoting http://www.debian.org/events/keysigning:
>
> "You should never sign a key for somebody else you haven't met
> personally. Signing a key based on anything other than first-hand
> knowledge destroys the utility of the Web of Trust. If ones friend
> presents other developers with your ID card and your fingerprint, but
> you are not there to verify that the fingerprint belongs to you, what do
> other developers have to link the fingerprint to the ID? They have only
> the friend's word, and the other signatures on your key -- this is no
> better than if they signed your key just because other people have
> signed it!
Or more importantly, why do you want it signed? To become a new
maintainer or to become a debian maintainer (who is not part of debian)
who can have their packages uploaded to Debian? You man want to look
into mentors.debian.net or look into
http://www.debian.org/devel/join/newmaint ?
--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian! |
|_______ Unless I ask to be CCd, assume I am subscribed _______|
|
|
|
|
|