Re: pgp key for signing files

Tue, 06 Jun 2006 02:52:15 -0700 

Kev Jackson wrote:


On 6 Jun 2006, at 01:50, Stefan Bodewig wrote:


On Mon, 05 Jun 2006, Antoine Levy-Lambert <[EMAIL PROTECTED]> wrote:


How to publish your key to a key server I do not remember. I think I
uploaded my public key to a key server, but do not remember off hand
how it is called.


I prefer http://pgpkeys.mit.edu/ but there are tons of alternatives.




I was going to use this option as it was mentioned on the Apache FAQ re 
signing, and I read elsewhere (perhaps GPG home page?) about it too - it 
seems to be a well established key server.



Another thing is that it would be good to have signatures on your
key.  Kev, do you live close enough to anybody of the Ant or any other
Apache community to get you key properly signed (most people will
require some sort of photo-id in a face-to-face meeting in order to
sign your key - thouzgh there may be alternatives).




Well I'm currently in Vietnam, so I guess that no I'm not near enough to 
anyone (most here seem to be European folks, with 1 or 2 USians) 



Makes for round the clock support. We've had a good australian 
participation in the past, although Conor is the only person from there 
currently active, I believe.



to have 
a face-to-face to prove my id!  I may have a business trip to Taiwan at 
some point in the next few weeks - but not before the end of the world cup.



I've never done this whole pgp thing before, and reading the gpg home 
page makes it seem partly simple (gen keys) and partly extremely 
complicated (signing).  Fortunately OSX seems to come with gpg 
installed, unfortunately it's the complicated signing part that I've 
still not fully understood (I get it conceptually, but I think the 
explanation ont'web is confusing me more than anything).


Thanks
Kev



Its an interesting trust problem. You effectively already have some 
credentials we implicitly trust (login rights to the cvs server & 
minotaur, presumably including SSH private keys). Perhaps we can 
bootstrap off that. It doesnt matter that you are who you say you are, 
only that the entity who is committing stuff to the repository is the 
same person who has the PGP key.



I also have an employer issued x500 key, so I can demonstrate that I am 
the person that hp thinks I am, or at least I have their smartcard. We 
can use those to bootstrap trust too. After all, who trusts a paper 
driving license without a photo on it (like my uk one)


-steve


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to