Paul Slootman <[EMAIL PROTECTED]> writes: > On Wed 15 Sep 1999, Philip Hands wrote: > > > > I know there is some pathetic kudos about how many signatures you have > > Is the "pathetic" part the reason why you don't have any? :-)
Ah, I'd not updated my key in the keyring since I joined. Well not until last week that is, you'll find a few signatures on my keys in debian-keyring_1999.09.12_all.deb No the "pathetic" part is that people seem to be more worried about the number, rather than the quality of the signatures. Not that it matters, but my PGP key is currently signed by 6 people (all of whom have seen me and my passport when I gave them my fingerprint) and my GPG key is signed by two people (on the same basis) as well as being signed by both my GPG and PGP keys. As long as we don't adopt the ``sign by mail'' approach, the combination of these two signatures and my own PGP signature on the new GPG key should be sufficient to prove that it's not an identity hijack in progress. If however we accept the ``sign by mail'' idea those two signatures might prove nothing more than the foolishness of the signers. I really see no point in trying to persuade my other PGP signers to sign my GPG key on the strength of an e-mail. If I succeeded in doing so it would simply prove that that person was willing to sign keys on insufficient evidence, and as such that they should be removed from our web of trust. Cheers, Phil.
