On Tue, Nov 11, 2003 at 08:04:07PM +0100, Marco Baringer wrote:
which means that _i'll_ trust common-lisp.net's key, but i was wondering about people who aren't developers on common-lisp.net.
Two answers:
There is no easy way, I'm afraid. I suppose that individuals signed by Common-lisp.net should also sign the Common-lisp.net key, and try to exchange keys generally with the rest of the world (in a secure manner, of course), in hopes that a newcomer can find some entry point to the web of trust.
Since people are lazy, many will decide to trust the key available from Common-lisp.net, even if they can't verify it. This means that those who get the key when Common-lisp.net is cracked lose.
Cheers,
-- Nikodemus