Good day, all I finally got around to installing and learning GPG on my system. Not that I'm apathetic about security; just that until now I've followed the practice of never e-mailing anything sensitive. I decided it was time to get this up and running just in case I ever need to do so. I was able to extract the SuSE key from an announcement on this list, and to add it to my GPG keyring. SuSE's messages now say that the signature is valid but that the key cannot be verified. So my question: How do I trace back the SuSE key to a signer, so that I can decide how far back I need to go in order to get one that I trust? I'm less concerned about this for the specific case of the SuSE announcements, which I can verify on their web site, than in the general case. Without going to a key signing party, are there other ways I can get my own GPG keys signed without violating the web-of-trust model? I'm familiar with how public key cryptography works and the implications of the web-of-trust versus central-authority models. I'm asking about specific mechanics of the "getting people together" problem, with regard to how it works in the Open Source community, rather than about concepts of the technology itself. Thanks for any suggestions. Kind regards, Scott -- -----------------------+------------------------------------------------------ Scott Courtney | "I don't mind Microsoft making money. I mind them courtney@4th.com | having a bad operating system." -- Linus Torvalds http://4th.com/ | ("The Rebel Code," NY Times, 21 February 1999) | PGP Public Key at http://4th.com/keys/courtney.pubkey