Re: [Exim] OpenPGP signatures on Exim releases

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Donald Thompson at <-
MMPhilip Hazel at ->
Delete this message
Reply to this message
Author: WJCarpenter
Date:  
To: exim-users
Subject: Re: [Exim] OpenPGP signatures on Exim releases
Yeah, yeah, having the software author's key signature in the printed
book is a fine idea. With not much additional effort, it could be an
even better idea.

What happens if the key is compromised? Sure, the word gets around that
the key is compromised, so everyone starts ignoring the printed key
signature. But that puts us back at square one. How do people learn
of a new, trustworthy key?

What you really need is to publish a small, reasonable list of keys, the
signatures of the members of a mini-keyring, more or less. These should
be keys controlled by people the software author trusts so that the
following scenario can be explained in the book and then played out if
necessary.

"In the event that this key is compromised, I'll try to advertise that
widely. Of course, you should stop trusting things signed with that key.
In place, I will create a new key and it will be signed by at least M of
the following N keyholders. I will then use that key to sign releases."

Vary M and N to taste.





This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] exim 4.10-1 pid issueRe: [Exim] malformed debug_selector setting: + or - expected but found "11"->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)