On Fri, Mar 30, 2012 at 15:41, Randall Leeds <[email protected]> wrote: > On Fri, Mar 30, 2012 at 15:15, Randall Leeds <[email protected]> wrote: >> On Fri, Mar 30, 2012 at 06:30, Noah Slater <[email protected]> wrote: >>> My key is signed by: >>> 85E0E79A 2011-10-19 Randall Leeds <[email protected]> >>> >> not dangerously or recklessly so. You are mostly likely correct that I >> should not have signed your key, but I hope you agree with my >> assessment of the situation and can offer some insight as to what, >> exactly, I gain by meeting you in person. > > I'm wondering if I can answer my own question here. I have a feeling > it has to do with legal liability for releasing software on behalf of > the ASF. In that case, having some confidence that you not only own > your email addresses but also your face and person who is also a legal > citizen that can be held accountable for misbehaving seems prudent. > Basically, I'm rejecting the notion that PGP demands we meet in person > in order to trust each other's identities, but admitting that perhaps > the needs of the ASF demand that I not trust you to sign code unless I > verify that you are a legal person that can be held accountable for > misdeeds. > > My crime, then, was against the ASF, not the web of trust at large. Perhaps? > I'll see about revoking just that signature, if it's possible.
I've published a revocation. I'll note that I noticed I had signed it with trust level 'unknown'. If my understanding is correct, that means I asserted only the validity but said nothing of the trustworthiness. If that's the case, I think I may not have done anything wrong at all! Strange that no one pointed out this distinction to me in the past. All of the keys I've signed are signed this way.
