Re: I am still on the keyring. With my old key.

[Henning Makholm <henning@makholm.net>]

Scripsit Martijn van Oosterhout <kleptog@gmail.com>

> "push aside"? There's no rule that says there can be only one. Yes,
> replacing someone could become ugly, but providing additional hands
> can't be considered bad, can it?

It can be considered bad from a technical viewpoint - as far as I
understand the master copy of the keyring is currently on a medium
that is under the keyring maintainer's direct physical control.

The "obvious" way of switching to team maintenance of the keyring
would entail keeping the master copy in a central machine - for
example on a debian.org box somewhere in a colo. Doing that in a way
that does not leave the keyring more vulnerable to surreptitious
compromise than some reasonable persons might prefer, requires
software support that does not currently exist.

If somebody designs and implements (after a suitable architectural
review) some software to support distributed keyring maintenance in a
secure, auditable way, it is likely that calls for adding more people
to the task would be considered more seriously.

> Anyway, ISTM that removing keys from a keyring is much more important
> than adding new ones, right?

It is also more difficult to implement in a secure distributed way.
Anybody can think up a scheme for using gpg signatures to prevent keys
from being added without authorisation in the first place. Making sure
that a removed key stays removed is a more complex question -
particularly if emergency powers-to-remove just get kludged onto the
existing system as an afterthought.

-- 
Henning Makholm                                  "Panic. Alarm. Incredulity.
                                   *Thing* has not enough legs. Topple walk.
                                  Fall over not. Why why why? What *is* it?"