Signatures ...

Wayne Davison wayned at
Thu Jun 17 17:28:05 GMT 2004

On Thu, Jun 17, 2004 at 10:17:19AM -0400, King, Daniel wrote:
> I don't yet have a "web of trust;" should I be concerned about the "not
> certified" issue above?

That's entirely up to you.  Gpg verified that the signing key's
signature was valid.  If you want to know more about the key, you can
list the folks that signed the key like this:

gpg --list-sigs wayned at

If you like what you see, that may be enough for you.  Or you can list
the sigs for one of the signing keys, like this:

gpg --list-sigs wayne at

If you run that you'll (hopefully) see that it was signed by a USENIX
1997 key, which means that a physical ID was verified in person and that
the email address was double-checked through an exchange of secrets.  If
you trust USENIX enough in its procedures (and if you trust/verify that
this signature is actually from USENIX), you could assign it ultimate
trust using this command:

gpg --edit-key 134B2131

... at the prompt, type "trust", select from the menu, confirm, and then

If you do that and the trust level on the wayne at signature is
above "marginal", the signature would then be certified by using your
previous "gpg --verify" command.  Alternate trust routes are also
possible through Dave's signing key.


More information about the rsync mailing list