1 |
On Tuesday 06 August 2002 09:22 am, Michael Cummings wrote: |
2 |
> Perhaps I've missed part of this thread (or simply wasn't paying |
3 |
> attention early enough) but will the keyserver itself (the actual |
4 |
> repository manager) be housed at gentoo? That would make some small |
5 |
> difference, at least if you accept keys in general, as far as a |
6 |
> management standpoint goes. In that case, if you can verify the |
7 |
> signature against keyserv.gentoo.org, then you know that unless someone |
8 |
> has hacked gentoo.org itself (let's not even go there - then all |
9 |
> arguments are void) the key is valid. |
10 |
|
11 |
WRT the web of trust between the circle of developers and the Gentoo community |
12 |
at large: |
13 |
|
14 |
I would put the keys up on several different, independent key servers, as well |
15 |
as make them available via download from multiple, independent locations (not |
16 |
mirrors of one another). This allows one to download the keyring from |
17 |
multiple locations and check them not only against each other, but against |
18 |
keys obtained from one or more public key servers. In addition, if the |
19 |
Gentoo folks offered the public keyring for sale on CDROM, that would be a |
20 |
third, independent genre of conduit through which the veracity of the keys |
21 |
could be verified. |
22 |
|
23 |
Within the circle of developers they should follow the guidelines offered by |
24 |
GPG and PGP WRT to key signing parties, or verifying public key fingerprints |
25 |
via snailmail and telephone calls (it does matter who calls who, etc.). This |
26 |
can be done with a high degree of confidence, if it is done right and corners |
27 |
are not cut. |
28 |
|
29 |
Jean. |