Re: [clo-devel] Re: Please upload your public GPG key to common-lisp.net
Erik Enge <erik@nittin.net> writes:
Good question. What say you others? I think it sounds like a good idea to have an administrative common-lisp.net key.
Noone has disagreed with this so I'm going to assume they agree. What would be appropriate for this key with regards to real name and email address? "Common-Lisp.net Administrative Key" and "admin@common-lisp.net" perhaps? Erik.
Erik Enge wrote:
Noone has disagreed with this so I'm going to assume they agree. What would be appropriate for this key with regards to real name and email address? "Common-Lisp.net Administrative Key" and "admin@common-lisp.net" perhaps?
I'd recommmend keymaster@cl.net and have a web page which describes the criteria for a key to be signed by the keymaster key. (I'd reserve you signing keys with your personal key for those owners with whom you meet in person and look at their photo id. Alternately, you can do like Debian and create a keyring file which contains the public key which cl.net trusts and publish that file so that downloaders of cl.net files can verify the signature of that file against the keys that are in the trusted keyring file. Then, there is no need for cl.net to sign any keys. -- Kevin Rosenberg kevin@rosenberg.net
On Thu, Nov 06, 2003 at 08:49:05AM -0700, Kevin Rosenberg wrote:
I'd recommmend keymaster@cl.net and have a web page which describes the criteria for a key to be signed by the keymaster key. (I'd reserve you signing keys with your personal key for those owners with whom you meet in person and look at their photo id.
Ok. This makes more sense then admin as recipient. ;)
Alternately, you can do like Debian and create a keyring file which contains the public key which cl.net trusts and publish that file so that downloaders of cl.net files can verify the signature of that file against the keys that are in the trusted keyring file. Then, there is no need for cl.net to sign any keys.
I think the signing can be better for now at least: it creates more crypto-awareness in the community, and helps in kickstarting a web of trust. Or so I hope. Cheers, -- Nikodemus
Nikodemus Siivola wrote:
I think the signing can be better for now at least: it creates more crypto-awareness in the community, and helps in kickstarting a web of trust. Or so I hope.
While I agree that key signing gives people more direct practice of using GPG, I believe that a web of trust is more valuable when stricter identity verification is required for key signing. -- Kevin Rosenberg kevin@rosenberg.net
On Thu, Nov 06, 2003 at 08:09:46AM -0500, Erik Enge wrote:
Noone has disagreed with this so I'm going to assume they agree. What would be appropriate for this key with regards to real name and email address? "Common-Lisp.net Administrative Key" and "admin@common-lisp.net" perhaps?
Maybe just "Common-lisp.net" as name? admin sound good for email. Cheers, -- Nikodemus
participants (3)
-
Erik Enge -
Kevin Rosenberg -
Nikodemus Siivola