Re: [T(A)ILS-dev] OpenPGP keys and policy

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The T\(A\)ILS public development discussion list
Subject: Re: [T(A)ILS-dev] OpenPGP keys and policy
Hi,

(Marco: thanks for your input!)

Marco A. Calamari wrote (07 Oct 2010 14:35:51 GMT) :
> may I suggest to maintain the trust chain signing the new keys with
> the old one?


I have been thinking about it when generating the new key, and
initially decided not to do so. This can of course be discussed and
the opposit decided, though.

My main reasons for not signing the new (signature+certification,
high-security) key with the old (mailing-list) one are:

1. It would be misleading: the old key is not trusted enough to be
able to certify the authenticity of the new one. Such a
certification would somehow make people think it is. On the
contrary, the new key has signed the old (mailing-list, low
security) one, which is its actual purpose.

2. About the trust path: the old key is only signed by my own one and
the new key is too. AFAIK, there is currently no way to get a
proper trustpath (to any T(A)ILS public OpenPGP key) that does not
go through my own key. It thus seems to me that anyone who already
went the necessary steps to trust the old key is in a position to
trust the new one as well.

This being said, I'm open to changing my thinking on this.

> Better comments inside the personality about the key purpose would
> help too.


I already have added an UID to the old key to make this clear:

pub   4096R/F93E735F 2009-08-14 [expire: 2014-08-13]
uid                  Amnesia <amnesia@???>
uid                  T(A)ILS developers (Schleuder mailing-list) <amnesia@???>
sub   4096R/E89382EB 2009-08-14 [expire: 2014-08-13]


... and the new key is:

pub   4096R/BE2CD9C1 2010-10-07 [expire: 2012-10-06]
uid                  T(A)ILS developers (signing key) <amnesia@???>


I do not know how to make the purpose of these keys clearer.
Suggestions welcome!

Bye,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| So what?