Erik Enge eenge@prium.net writes:
The weak link is of course that the user doesn't know if the public key is the author's or not. Here's where our signing policy comes into play. When developers apply for a project at common-lisp.net they receive their passwords encrypted (by mail) and if they successfully decrypt and answer the email, their public key will be signed by the common-lisp.net keymaster. Thus, the users will have a means of verifying that they have the correct key.
ok, so this "guarntees" that the key belongs to whevere has access to that account (which is good), but how do you get people to trust common-lisp.net's key? am i missing something simple?