On Mon, 2008-11-10 at 03:14 -0600, Boyd Stephen Smith Jr. wrote: > mentors.d.n seems to want a single GPG key. I imagine that becoming a DD > would probably entail reducing my keys down to one (1) as well. No, it will require you to nominate one of your keys as the Debian key. Take a look at my keys - one is clearly commented "(laptop key)" - 0xA897FD02 - and I cannot upload to Debian using that key. My main key is the one on my desktop machine - 0x28BCB3E3. Decide now which of your keys is going to be the most secure (i.e. the secret key has only ever been on machines that haven't left your home). All other keys are deemed "replaceable". All portable machines and all "temporary" machines would only ever have one or more of these replaceable keys. I think two keys is a good arrangement for most Debian work because if the laptop is stolen or lost, I can still sign notification messages with my other key which has similar numbers of signatures on it and is similarly strong in terms of the web of trust. It is in the nature of laptops for them to be lost, so I use a "replaceable" key and keep another key for my home system. Check my emails in the archive, you'll find some signed by my main key (this one) and some by my laptop key - depending on where I was at the time. > Unfortunately, I haven't found a good method for accessing a single private > key from the multiple computers I work in front of regularly. Then don't. By all means copy the other secret keys around all your machines so that you can decrypt stuff (and even sign using your less secure keys on your secure machines) but keep your main key secure. When you want to take your secure key with you for a specific purpose, use: http://www.einval.com/~steve/docs/gpg-autofs.html > Any suggestions on the best way to do that? In particular I've considered a > USB key, but I'd like it to be automatically mounted in a consistent location > so my always-running-when-I'm-there gnupg-agent (and kgpg) can find it. See link above. Actually, what you might want is my adjustment of the link above that allows me to continue signing stuff with my laptop key when using the laptop and then on specific instances when I need the Debian key to upload a package directly from the laptop (whilst at DebConf etc.), I plug in my secure key and use it *only* to sign the package for upload, then remove the card and revert to the laptop key. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
signature.asc
Description: This is a digitally signed message part