ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <adam....@cyberspaceroad.com>
Subject Re: pgp signature
Date Mon, 16 Feb 2004 12:28:04 GMT
On 02/12/2004 09:15 AM Stefan Bodewig wrote:
>>'Ultimately'? That's extreme, isn't it?
> 
> Absolutely - and the level of trust is up to you.
> 
> If you are sure the key is Antoine's, sign it with yours.  As you
> trust yourself ultimately, this is enough to make Antoine's signature
> "trusted" for the release and make the warning go away.
> 
> There is no reason to assign any additional trust to the key.  This
> comes into the trust calculation when a path of trust needs to be
> established.
> 
> Say you trust my key.  If you trust it ultimately, you'd immediately
> accept Antoine's key as I have signed it, PGP wouldn't complain about
> you not having any trust in Antoine's key.  If you chose a less
> extreme level of trust, more than one signature of that trust level is
> needed on a given key to make that key trusted.
> 
> So trust in your trustdb is more about how you think the person is
> dealing with key signing.  Is he/she paranoid so that you can assume
> he/she will never sign any key without being absolutely sure?  Or will
> he/she sign any key just because it can be found on a public
> keyserver?
> 
> This is your decision and there is no need to tell anybody about your
> trust at all 8-)

Thanks v. much for the run-down on security keys & pgp. This got very 
involved very quickly, but I'm glad I'm now aware of the issue.

At this point, I shall just take it on trust that the keys from 
www.apache.org are trustworthy, and live with the warning.

Regards
Adam

-- 
ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message