incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <>
Subject Re: key signing
Date Mon, 08 Oct 2012 14:36:28 GMT
On 08.10.2012 13:44, Franklin, Matthew B. wrote:
>> -----Original Message-----
>> From: Marvin Humphrey []
>> Sent: Friday, October 05, 2012 8:54 PM
>> To:
>> Subject: Re: key signing
>> On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting <> wrote:
>>> It's good to recommend people to get their keys signed by someone in
>>> the Apache web of trust and I think we could do more in that area,
>> Maybe if we didn't insist on face-to-face meetings we'd get better adoption
>> rates.
>> Apache dev docs:
>>    How To Link Into A Public Web Of Trust
>>    In short, expect that:
>>        *   this will involve a face-to-face meeting
>> GnuPG docs:
>>    A key's fingerprint is verified with the key's owner.  This may be done in
>>    person or over the phone or through any other means as long as you can
>>    guarantee that you are communicating with the key's true owner.
> +1.  I think with technologies like Skype & Google Hangout, we can get the same level
of assurance of a person's identity as a physical key signing party.

What guarantee do you have that a particular Skype ID is whoever you
think it is? None at all, unless the person involved looked at your
Skype contact list and said, yeah, that's me. Likewise for Google
Hangout. As long as they're doing that, they might as well verify the
signature fingerprint in your PGP keyring.

In this respect e-mail is just as secure, so why don't we all just sign
keys because someone claiming to be from from Chad sent us a mail asking
us for a signature?


-- Brane

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message