I see no reason to hurry. A slowly growing web of trust that is strong is far more useful than an exploding web of trash. precisely. I only sign keys when I've met the person
physically, and had them tell me that yes, they have a PGP key, and yes, here are the lower bits (the keyid.) (The latter is a little weak, I look forward to the MD5 output version...) I keep keyid's in my "little black book" as well as my online keyring. Also, because keys are a reasonable "proof" that one is using PGP, some people will only release their "public" keys to people they will correspond with anyhow. (At least one key on the recent cypherpunks key list was in that category.) I have at this point signed keys of 6 people (the first three over dinner at a chinese restaurant -- this didn't start a trend, unfortunately :-) I haven't signed John Gilmore's key (even though I work for him) since I haven't actually seen him in person, though I may get a chance to when I'm in California next week -- this will create a link between east-coast and west-coast signatures, though possibly not the first. _Mark_ <eichin@athena.mit.edu> MIT Student Information Processing Board Cygnus Support <eichin@cygnus.com>