On Thu, 2014-06-19 at 21:25 -0500, Gunnar Wolf wrote: > Thanks for bringing this topic up. I'm snipping your very detailed > implementation proposal, which does not sound like it was written at > 4AM at all ;-) ;-) > I do feel the keyring-maint package is a leftover from days long > gone. Nowadays the keyring is kept at a DVCS tree, and regularly > exported to a publicly accessible instance. Any reason for that "internal" repo? I mean what speaks against the idea of expressing everything via signatures by some special keys (which was probably the core idea of my proposal) > Furthermore, it stores its > full history, so you can even check if $foo was a valid key at some > point in the past. This you can to with my proposal as well... whether the "Authority" key will sign other keys always just for a time span (+ continuously resigns them) or whether the signatures are not expiring and manually revoked... In both cases you could easily find out and time spans when a key had the "state" Debian developer, based on the dates of the signatures and revocations. > I was thinking about including the possible disappearance Well when I wrote last time, I thought keeping the package might make sense to give offline systems at least a source for a more or less current state of the keyring... but OTOH,... why should offline only systems need this... they can't do any communication with the DDs or verify new packages. But of course... if there the "Authority" key should then move to some package, e.g. debian-archive-keyring... or perhaps all special keys should move to that package and this should then become the "debian-keyring" (since it's no longer just the archive keys). Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature