Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
FWIW, Neil, I could verify the signature based on a key that I retrieved from pgp.mit.edu with the following fingerprint:
A539 96E0 95AE 2027 C2DB A965 1B97 DCEA 057E 59BD
but i don't trust that key (yet, anyway) :)
On keys, trust, and webs
Posted Oct 7, 2011 8:18 UTC (Fri) by neilbrown (subscriber, #359)
Because I suspect that in reality you do trust it, at least a little bit. And if I had had the forethought to sign my previous correspondence with you, you would probably trust it a lot more, despite what gpg tells you.
I've been trying to think of non-digital analogies and the idea of "Public Notices" comes fairly close. There are cases were placing a public notice and not getting a response in some reasonable time period means that you can proceed on the assumption that no-one else has an interest in the issue (handling deceased estate is one example I think).
So my original post is like a public notice. If it was faked, you can be pretty sure that the real neilbrown would have found a way to complain. He hasn't yet. Give it time, but if you don't hear anything in a couple of weeks, you can probably increase your trust level substantially.
[alright, I admit it - I just don't like parties and want to find a way to get my access to kernel.org back without having to go to a key-signing party :-) ]
Posted Oct 7, 2011 13:38 UTC (Fri) by jake (editor, #205)
well, it was meant flippantly (thus the smiley), but, yes, what I meant was that GPG did not trust the key ...
I don't think keysigning parties are the only way to get signatures ... Jon and I verified fingerprints over the phone recently, for example. Sending me a signed email with info that only the entity I know as "Neil Brown" (who ever you are in real life :) would know would go a long way toward establishing the connection between that key and that entity ... enough that I might be willing to sign the key for example ...
Posted Oct 10, 2011 0:33 UTC (Mon) by vonbrand (subscriber, #4458)
<paranoid>Perhaps you have the real one kidnapped somewhere...</paranoid>
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds