Kevin Rosenberg kevin@rosenberg.net writes:
I'd recommmend keymaster@cl.net and have a web page which describes the criteria for a key to be signed by the keymaster key. (I'd reserve you signing keys with your personal key for those owners with whom you meet in person and look at their photo id.
It looks like this is the best approach. Since I'm not the most experienced with these things around here, I'll ask: do we want the key to just sign (no password) or to sign and encrypt/decrypt (then we need a password, if I understand correctly)?
Erik.
On Fri, Nov 07, 2003 at 07:35:34AM -0500, Erik Enge wrote:
do we want the key to just sign (no password) or to sign and encrypt/decrypt (then we need a password, if I understand correctly)?
I hope that Kevin corrects me if I'm wrong, but...
It doesn't matter: the passphrase is required in any case: it guarantees the integrity of the key.
Imagine: somehow the key gets stolen. Now the purveyor of the key can sign stuff as Common-lisp.net, including keys of maliscious package authors, which people will then install and run because the author's key was trusted by Common-lisp.net...
Had the key been protected by a passphrase this would not have happened.
Cheers,
-- Nikodemus
Nikodemus Siivola wrote:
I hope that Kevin corrects me if I'm wrong, but...
It doesn't matter: the passphrase is required in any case: it guarantees the integrity of the key.
Correct. The private key needs to protected by a passphrase. The private key is used to sign and decrypted messages. It is not needed to encrypted messages -- encryption requires just the public key.
I'd recommend making a user account named keymaster. Import the public keys into its public key ring that you want to sign. After you sign and export public keys, keep the public keys in the keyring. You can then publish that public keyring as both an easy way for someone to import all public keys trusted by clnet. That public file can also be used to verify a signature is trusted by clnet:
gpgv --no-default-keyring --keyring clnet-public-keyring.gpg <file>
-
Erik Enge -
Kevin Rosenberg -
Nikodemus Siivola