Date: Mon, 30 Nov 92 08:32:45 EST From: pfarrell@cs.gmu.edu (Pat Farrell) I sign keys only when I am certian that the key belongs to the human who claims to have the name on the key. There are not a lot of keys signed by me floating arround, maybe six total..... Ah, but how do we know that it's really you making this statement, and not some evil NSA spoofer? What people need to do is to make their key-signinging policies available _signed_ with their private key; that way at least we would know that the entity signing the keys and the entity claiming that this is its policy are the same. This helps, but we would then still need to trust that the entity is telling the truth insofar as its key-signing policy is concerned. - Ted