I am practicing retrieving a key from a keyserver. I went to this ppa https://launchpad.net/~mozillateam/+archive/ppa
and retreived the key from the keyserver with the command: gpg --recv-keys --keyserver keyserver.ubuntu.com keyID. (The keyserver in this case was Ubuntu key server)
Next, after verifying the keys fingerprint is the same as what is listed on the project page website, do I sign this key?
"Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key's fingerprint with the owner before signing the key."
I can't really check with the owner because it is just listed on a website.
When I checked, no one really signed it. People who have signed the key under seahorse is blank.
When I look at http://regina.sourceforge.net/instal...u-precise.html
it seems that they don't list a fingerprint on the site for the key. Is that right? Should there be a fingerprint listed next to the link for the "save as" hyperlink regina.txt file.
Are you condident with the information provided by either site to trust the key and do you bother signing it? What other types of verification besides a fingerprint would you like to see? Is it okay just to trust the website and fingerprint? If they had clearsigned it, would an sha1sum be on the site, and should that be listed with the fingerprint too?
thanks for any help you can provide,