| 1 |
Hi, everyone. |
| 2 |
|
| 3 |
I'd like to announce that the experimental deployment of Gentoo |
| 4 |
Authority Keys is now in place. If someone would like to give them |
| 5 |
a try, Wiki includes instructions for using them [1]. |
| 6 |
|
| 7 |
Authority Keys (as defined in GLEP 79 [2]) provide a simple, uniform way |
| 8 |
of verifying OpenPGP keys belonging to Gentoo developers. Long story |
| 9 |
short, Infra runs a service that signs developer keys with a single key. |
| 10 |
You import, verify and trust the key, and you get @gentoo.org UIDs of |
| 11 |
all active Gentoo devs verified as a result. |
| 12 |
|
| 13 |
The primary purpose of developer keys is to provide a better GnuPG- |
| 14 |
friendly infrastructure for secure communication with developers. It |
| 15 |
can be used to verify signatures made by developers, and to encrypt mail |
| 16 |
sent to them. In this regard, it can be used in place of LDAP |
| 17 |
(available only to Gentoo devs) or gentoo-keys seed files (which require |
| 18 |
manual updates, and use custom file format). |
| 19 |
|
| 20 |
Besides developer key signatures, Authority Keys also provide (manually |
| 21 |
managed) signatures for other keys used by Infra. Therefore, they |
| 22 |
provide an alternative to manually verifying key fingerprints against |
| 23 |
Gentoo website [3]. |
| 24 |
|
| 25 |
While technically right now the authenticity of Authority Keys can only |
| 26 |
be verified against the website [3], I hope that users will start |
| 27 |
signing them upon verifying, effectively making WoT-based verification |
| 28 |
possible. Once that happens, we will be able to stop relying on PKI. |
| 29 |
|
| 30 |
Currently, the Authority Keys and signed developer keys are available |
| 31 |
only on the experimental Gentoo keyserver (hkps://keys.gentoo.org). |
| 32 |
Once both mature a little bit, we should start syncing keys between |
| 33 |
Gentoo keyserver and SKS, effectively increasing availability of this |
| 34 |
service. |
| 35 |
|
| 36 |
[1]:https://wiki.gentoo.org/wiki/Project:Infrastructure/Authority_Keys |
| 37 |
[2]:https://www.gentoo.org/glep/glep-0079.html |
| 38 |
[3]:https://www.gentoo.org/downloads/signatures/ |
| 39 |
|
| 40 |
-- |
| 41 |
Best regards, |
| 42 |
Michał Górny |
Archives