Sander W G van der Waal wrote on Wed, Sep 15, 2010 at 09:07:22 +0100:
> From: Johan Corveleyn [mailto:jcor...@gmail.com]
> > Keysigning, public keys, ... huh? What's this about? I'm quite new to
> > Apache Retreat etc, and I'm no committer, so maybe that's it?
Using a private key you can sign a file in a way that convinces everyone
who sees the file, the signature, and the (associated) public key that
the signature was produced by the possessor of the private key.
Encryption works in reverse: the $someone who encrypts uses your public
key and has confidence that only the possessor of the associated secret
key can decrypt.
Keysigning aims to bind public keys to the /identity of/ the possessor
of the secret key. (after all, anyone could run gpg and write "Daniel"
when gpg asked for their name)
AFAIK, the ASF uses crypto primarily to sign releases.
> Excellent, that means I'm not the only one who's new to the Apache Retreat
> and is not a committer! ;)
> I recently started to look into key signing and found the page on the Apache
> website very informative . Henk Penning has a page that is specifically
> aimed at exchanging keys . I guess that is still relevant?
>  http://www.apache.org/dev/release-signing.html
>  http://people.apache.org/~henkp/sig/pgp-key-signing.txt