On Tue, 02 Jul 2002, Scott Courtney wrote:
I was able to extract the SuSE key from an announcement on this list, and to add it to my GPG keyring. SuSE's messages now say that the signature is valid but that the key cannot be verified.
So my question: How do I trace back the SuSE key to a signer, so that I can decide how far back I need to go in order to get one that I trust? I'm less
Two steps for each key 1. Get a copy of the key fingerprint from a separate channel that you trust (such as the printed "Security" manual from SuSE) and compare it with the fingerprint of your copy of the key 2. Sign the copy of the SuSE key that is on your keyring. Actually there are two keys you are probably interested in. Security announcements security@suse.de Package signing build@suse.de The build key comes on your CD so I guess many people trust it without verifying the fingerprint. (You need some way to get a trusted copy of GPG :-) )
I'm familiar with how public key cryptography works and the implications of the web-of-trust versus central-authority models. I'm asking about specific mechanics of the "getting people together" problem, with regard to how it works in the Open Source community, rather than about concepts of the technology itself.
You don't really need to meet someone in the web of trust to verify your suse keys for your personal use. Some Linux and Unix user groups have GPG key signing events, after their meetings or at conferences. Ask UGs in your area. dproc