On Wed, Mar 23, 2011 at 12:27 PM, Mike Acker <mike_ac...@charter.net> wrote: > I really liked the idea of having the Membership Secretary sign a Public > Keyring for the Group Members and then to circulate that keyring to the > membership. > > How to implement though, as members will need an additional keyring for > each group they have a membership with.
Just to comment on this aspect of your proposal: Debian, for example, does circulate a keyring file in this way. But managing multiple keyrings is not easy, and can lead to some nasty corner-cases. What if you are using multiple keyrings and different versions of the same key exist on more than one keyring? [ as an aside, I think there is a fairly good case that multiple public keyring files are a menace rather than a help in most cases because of this problem.... ] It would probably be better for the membership secretary to circulate a keyblock (i.e. the results of an --armor --export) containing the members keys, which you could then import onto your own keyring. Unless the group features many hundreds of members you should not experience any noticeable slow-down at all. Depending on the nature of your group there are two potential models: - If memberships are renewed at regular intervals, the secretary can simply sign all keys with signatures valid for the standard period of membership and circulate the keyblock. - If members enter and leave at different times, the membership secretary will have to sign and revoke keys as appropriate (I'd still put an expiry date on the signatures to be on the safe side) and circulate the keys of all members who are current *or former members* (so that the revoked signatures are also circulated). - As a refinement of the second option, if you make the signatures only valid for a year, you would only need to circulate the keys of former members for the period during which the original signature was ever valid. Best wishes, Nicholas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
