On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote: > Michael Pobega writes: > > Is it a bad practice to verify keyrings of people on the mailing list, or > > is it better to wait until I meet up with some of them at say Debconf or > > something similar? > > Depends on what you mean by "verify". There is nothing wrong with > downloading their public keys and using them to verify that all the > messages purporting to come from them are indeed signed with the same key > and so probably did come from the same person. However, you should not > sign someone's key unless you have met them, interviewed them, and examined > and verified their credentials. >
What exactly is signing a key, and how does it work? I'd Google it...but I wouldn't know where to start.
signature.asc
Description: Digital signature
