Hello,
I have been mulling over how I might approach the distribution of some code that I have intended would be publicly avaialble, and the distribution of some project-locatable material that I consider as it being relevant in regards to Common Lisp; though the latter material has not been made in coincidence with software beside it, but I consider that it is likely to be made, as so.
While that is not what is the subject of this email, but I mean it as some exposition.
I had noticed that the page http://common-lisp.net/project-intro.shtml , in regards to a request for the registration of a project, includes an explanation: That when one would request an allocation of resources for a project at common-lisp.net, one must provide the public complement of a PGP key pair, of which one's own would be the private key.
I've yet to have endeavored to have 'gotten' a key onto the Debian keyring. Time ago, there had appeared to be a likely cause as that I would, but it was not firstly pursued by me. Since then, the slime debian package has been taken over by another maintainer, and developed in more. I am not certain of what would be the premise on which I would endeavor to have a key registered onto the Debian keyring, presently.
I am aware that there is an object referred to as a keyring, and that a keyring can be utilized in cojunction with crypotgaphic systems, then in conjunction with procedures for message signing, as in the case of GPG-signed email. (I understand, wholly, it is my responsability, if I would endeavor to undrestand how the mechanisms for such are supposed to operate, as when operated across shell commands and such-and-such of conventional software applications. I recognize that it is feasible that the mechanisms for such would be operated, more directly than with shell commands, when operated in a Common Lisp programming environment; perhaps a proposal for such might be more fit to a common-lisp-crypsec list.)
While I hope that there will be opportunity to discuss how crypotgraphic systems would be implemented in Common Lisp, but my first question would be:
In regards to the public GPG key that would be provided in a request for a project, must that key have been registered in a public keyring?
and must the key be marked as to be 'trusted' of anyone?
(I realize, those questions might be redundant. If a key was available on a public keyring, and if that keyring would be available as by way of a public key service, then one could send a description of the means by which the key would be accessed of that key service, rather than having to send the key in the mail, and rather than requiring the other to download the key, also via internet email)
Separately, then, in a question addressed more directly onto to the operations of a key system: I am wondering if the keyring provided at http://common-lisp.net/keyring.asc would be able to contain key revocation markers. (I am not aware of what is the internal structure of a keyring, but that it would probably contain public keys for people)
Should it occur that the integrity of a private key would be violated, such that that key would be the private complement to a public key that would have been registered to the keyring at common-lisp.net, then oneself (and only the person who provided the key) oneself should be able to mark that key as it being invalid.
Thirdly, then, most directly: I would like to voice an inquiry, as for what are the means by which a key added to that keyring would be marked as invalid -- like, as for what would be the means by which a key revocation certificate (?) would be delivered on a key made to that keyring, and verified as that it was delivered by whom had delivered the original key. (I am assuming that that would consittue the mechanism for it, to invalidate a key in that keyring).
Fourthly, a question: Regarding the public key that would be provided on a project request, then if the project-request will be accepted, will that public key be added onto the keyring at http://common-lisp.net/keyring.asc ? I had assumed that it would be, but I should like to know, without assumption.
(Like, I am wondering about how the key would be used, as would be provided in coincidence with the project-request.)
I know that the Debian development system includes the mechanism of a key service. (I am not immediately sure of how it is interfaced, and how it is operated, but I trust that they've documentation about it.) If I would have a key registered onto that key service, I wonder if that might suffice, either beside to or in lieu of that I would send a key, also, by email.
I am aware that to have a key trusted onto Debian development, I would have to have that key marked as to be trusted, marked by someone who may verify my identity, onto that key -- for example, someone at a local Linux Users Group, and presumably, someone whom would already have a trusted public key.
(I am aware that there is a Free/Open Source Users Group, locally. My not being much familiar with the group, however, I have been wary of trying to find out how this would be approached, there -- how to get a key marked as 'trusted', there -- but I am certain that it may come to be worked out.)
That appears to be the end of the questions I find cause to ask on the mater.
It is good to see if there are key systems being operated in regards to projects at common-lisp.net.
I will admit that I have avoided bothering about email singing. Yet, taking the matter seriously, I've grounds enough as to ensure a verification of my identity on messages that I have sent. If personal email fraud is not conventional, but it is possible; it might take something of a directed attack, to pull off, but there is no cause to wait around for such.
If I have not made a matter sufficiently clear, in what I have endeavored to address, above, then on inquiry, I may be glad to clarify. I would like to avoid comment, however, as about why I would find cause to state such a matter, explicitly.
I look forward to the prospect of hosting a project at Common-Lisp.net
Thank you
-- Sean Champ
On 7/28/06, Sean Champ gimmal@gmail.com wrote:
In regards to the public GPG key that would be provided in a request for a project, must that key have been registered in a public keyring?
No.
and must the key be marked as to be 'trusted' of anyone?
No.
of a key system: I am wondering if the keyring provided at http://common-lisp.net/keyring.asc would be able to contain key revocation markers. (I am not aware of what is the internal structure of a keyring, but that it would probably contain public keys for people)
Yeah.
Thirdly, then, most directly: I would like to voice an inquiry, as for what are the means by which a key added to that keyring would be marked as invalid -- like, as for what would be the means by which a key revocation certificate (?) would be delivered on a key made to that keyring, and verified as that it was delivered by whom had delivered the original key. (I am assuming that that would consittue the mechanism for it, to invalidate a key in that keyring).
Just upload your public key to your home directory and let me know and it'll get imported over again and the revocation certificate would carry with it.
Fourthly, a question: Regarding the public key that would be provided on a project request, then if the project-request will be accepted, will that public key be added onto the keyring at http://common-lisp.net/keyring.asc ?
Yes.
If I have not made a matter sufficiently clear, in what I have endeavored to address, above, then on inquiry, I may be glad to clarify. I would like to avoid comment, however, as about why I would find cause to state such a matter, explicitly.
Basically, you need to create a GPG key and send me the public key. http://www.gnupg.org/(en)/documentation/howtos.html should get you started. When you've created it just submit your request to admin@common-lisp.net and I'll create your project. I will then use the key you submitted to encrypt a password which I'll email back to you. That's pretty much it.
Thanks, Erik.
Hi
I'm not even sure why I'm subscribed to clo-devel, but I can explain a bit about revocation certificates. All that is checked is that the revocation certificate is made by somebody with the private key. If somebody other than you can turn in a revocation certificate, that is itself proof that your key has been compromised.
Brandon