On Thu, Sep 16, 1999 at 00:02:10 +0100, Philip Hands wrote: > Given that this key only seems to have been signed by Ray Dassen and > itself,
Even with the updates Wichert mentions, the web of trust for Debian GPG keys is still a lot sparser than the PGP one. I've pointed out one possible approach to strenghtening it (using RSA keys to sign DH/DSA ones) in http://www.debian.org/Bugs/db/25/25554.html . > and you have good reason to believe that the key used to sign this key was > Ray's, In this case, you can be reasonably sure: my RSA key is unrevoked and very widely signed (it made http://www.cl.cam.ac.uk/Research/Security/Trust-Register/); I used it to sign my GPG key (which has a number of other signatures on it as well) with which I signed Wichert's GPG key. Of course this depends on one's level of paranoia. Using crypto wisely and effectively is a matter of keeping one's paranoia high, but not reducing it ad absurdum (how do you know I'm not an alien with space/time travel technology capable of intercepting your private key and viewing you type your passphrase?). Ray -- PATRIOTISM A great British writer once said that if he had to choose between betraying his country and betraying a friend he hoped he would have the decency to betray his country. - The Hipcrime Vocab by Chad C. Mulligan
