Robert Burrell Donkin wrote:
> my conclusion was that meta-data signed by [keys in the] WoT would be good
enough.
> there's no need to distribute a master key
+1
> key management is tricky
Not that tricky. Let's not make as if this isn't done routinely elsewhere.
> this is where the complexity lies. IIRC it was quite tough to come up
> with a user friendly trust model that worked correctly.
Not so much, seeing as how you just agreed with CLR:
> For example, "trust all unsigned", "trust all signed", "trust all signed
in
> Apache WOT" might be reasonable policies declared by the user.
> we don't actually require that the artifacts are signed: just
> meta-data about the artifacts
What do you think a signature is in the first place? It is a digitally
encrypted hash, i.e., meta-data.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
