| 1 |
On Tuesday 06 August 2002 09:22 am, Michael Cummings wrote: |
| 2 |
> Perhaps I've missed part of this thread (or simply wasn't paying |
| 3 |
> attention early enough) but will the keyserver itself (the actual |
| 4 |
> repository manager) be housed at gentoo? That would make some small |
| 5 |
> difference, at least if you accept keys in general, as far as a |
| 6 |
> management standpoint goes. In that case, if you can verify the |
| 7 |
> signature against keyserv.gentoo.org, then you know that unless someone |
| 8 |
> has hacked gentoo.org itself (let's not even go there - then all |
| 9 |
> arguments are void) the key is valid. |
| 10 |
|
| 11 |
WRT the web of trust between the circle of developers and the Gentoo community |
| 12 |
at large: |
| 13 |
|
| 14 |
I would put the keys up on several different, independent key servers, as well |
| 15 |
as make them available via download from multiple, independent locations (not |
| 16 |
mirrors of one another). This allows one to download the keyring from |
| 17 |
multiple locations and check them not only against each other, but against |
| 18 |
keys obtained from one or more public key servers. In addition, if the |
| 19 |
Gentoo folks offered the public keyring for sale on CDROM, that would be a |
| 20 |
third, independent genre of conduit through which the veracity of the keys |
| 21 |
could be verified. |
| 22 |
|
| 23 |
Within the circle of developers they should follow the guidelines offered by |
| 24 |
GPG and PGP WRT to key signing parties, or verifying public key fingerprints |
| 25 |
via snailmail and telephone calls (it does matter who calls who, etc.). This |
| 26 |
can be done with a high degree of confidence, if it is done right and corners |
| 27 |
are not cut. |
| 28 |
|
| 29 |
Jean. |
Archives