PGP key signing (Was: Re: [Monotone-devel] Re: BZ2 & signatures)

monotone-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PGP key signing (Was: Re: [Monotone-devel] Re: BZ2 & signatures)

From:	Ethan Blanton
Subject:	PGP key signing (Was: Re: [Monotone-devel] Re: BZ2 & signatures)
Date:	Tue, 1 Aug 2006 16:25:33 -0400
User-agent:	Mutt/1.5.11

Lapo Luchini spake unto us the following wisdom:
> Nathaniel Smith wrote:
> > (Also, I'm the one that rolls releases these days, and I don't have a
> > verifiable gpg key anyway...)
>
> If you're interested in improving your key reachability I may suggest
> exchanging signatures with Matt Zimmerman (and/or Cort Stratton and/or
> Doug Barton or others), they live in Los Angeles and are willing to
> meet people to exchange signatures, as implied by their presence on
> BigLumber:
> http://www.biglumber.com/x/web?sl=29
> 
> The three of them are connected to the SCC (strongly connected subset
> of GPG signatures graph), with Matt the stronger of the three (a mean
> distance of only 4 links from anyone else, a distance of 3 signatures
> from me).

So, not to get into a big long PGP discussion here, but this is really
not that useful.  I'm well-signed into the strongly connected subset,
myself, but that doesn't directly translate to anything particularly
valuable -- for example, I can find paths of length 3 from myself to
Graydon, and similar from myself to you, but those paths are *not* via
signers whom I trust, and as such they are not particularly useful to
me.  It doesn't really matter to me that some guy I don't know from
Adam has signed your key, regardless of how well I may know and trust
the first link in the chain.

So, while increasing the size of the strongly connected set is
academically interesting and makes for an amusing popularity contest,
it's not really useful for something like file distribution.

As an interesting contrast, I "trust" the key used to sign Linux
Kernel releases, simply because it has been used for years to sign
empirically "good" kernel releases in a public location for which
bogosity would have been reported in some fashion in that span of time
were it going on; this is not a secure trust relationship, but it is a
sufficient indication that Things are As They Should Be for a quick
download check.

Ethan

-- 
The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
                -- Cesare Beccaria, "On Crimes and Punishments", 1764

signature.asc
Description: Digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Monotone-devel] Re: BZ2 & signatures, Lapo Luchini, 2006/08/01
- PGP key signing (Was: Re: [Monotone-devel] Re: BZ2 & signatures), Ethan Blanton <=
  - [Monotone-devel] Re: PGP key signing, Bruce Stephens, 2006/08/01
    - [Monotone-devel] Re: PGP key signing, Graydon Hoare, 2006/08/01
  - [Monotone-devel] Re: PGP key signing, Lapo Luchini, 2006/08/01
  - Re: PGP key signing (Was: Re: [Monotone-devel] Re: BZ2 & signatures), Jack Lloyd, 2006/08/01
    - Re: PGP key signing (Was: Re: [Monotone-devel] Re: BZ2 & signatures), Ethan Blanton, 2006/08/02

Prev by Date: Re: [Monotone-devel] Re: RFC: workspace migration and work.cc refactor [net.venge.monotone.workspace-merge.migration]
Next by Date: [Monotone-devel] Re: PGP key signing
Previous by thread: [Monotone-devel] Re: BZ2 & signatures
Next by thread: [Monotone-devel] Re: PGP key signing
Index(es):
- Date
- Thread