* martin f. krafft: > key management still requires some sort of professionalism. Just > creating a key and signing it isn't the entire game;
I disagree. Even Verisign claims it isn't liable for its certificate. In this case, the only response to a bad signing key is to remove it from your APT installation. No elaborate framework of certifying keys is going to change that. > users need multiple ways to verify the key until the trust level > meets their requirements. Right now, one single method exists, and > its weak. There are at least two. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
