Re: [clo-devel] Re: Please upload your public GPG key to common-lisp.net

On Fri, Nov 07, 2003 at 07:35:34AM -0500, Erik Enge wrote:

do we want the key to just sign (no password) or to sign and encrypt/decrypt (then we need a password, if I understand correctly)?

I hope that Kevin corrects me if I'm wrong, but...

It doesn't matter: the passphrase is required in any case: it guarantees the integrity of the key.

Imagine: somehow the key gets stolen. Now the purveyor of the key can sign stuff as Common-lisp.net, including keys of maliscious package authors, which people will then install and run because the author's key was trusted by Common-lisp.net...

Had the key been protected by a passphrase this would not have happened.

Cheers,

-- Nikodemus