ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: pgp signature
Date Thu, 12 Feb 2004 08:15:50 GMT
On Wed, 11 Feb 2004, Adam Hardy <adam.ant@cyberspaceroad.com> wrote:

> 'Ultimately'? That's extreme, isn't it?

Absolutely - and the level of trust is up to you.

If you are sure the key is Antoine's, sign it with yours.  As you
trust yourself ultimately, this is enough to make Antoine's signature
"trusted" for the release and make the warning go away.

There is no reason to assign any additional trust to the key.  This
comes into the trust calculation when a path of trust needs to be
established.

Say you trust my key.  If you trust it ultimately, you'd immediately
accept Antoine's key as I have signed it, PGP wouldn't complain about
you not having any trust in Antoine's key.  If you chose a less
extreme level of trust, more than one signature of that trust level is
needed on a given key to make that key trusted.

So trust in your trustdb is more about how you think the person is
dealing with key signing.  Is he/she paranoid so that you can assume
he/she will never sign any key without being absolutely sure?  Or will
he/she sign any key just because it can be found on a public
keyserver?

This is your decision and there is no need to tell anybody about your
trust at all 8-)

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message