Re: GPG Keys

To: debian-mentors@lists.debian.org
Subject: Re: GPG Keys
From: Neil Williams <codehelp@debian.org>
Date: Mon, 10 Nov 2008 10:50:48 +0000
Message-id: <[🔎] 1226314248.3993.85.camel@holly.codehelp>
In-reply-to: <[🔎] 200811100314.58055.bss03@volumehost.net>
References: <[🔎] 200811100314.58055.bss03@volumehost.net>

On Mon, 2008-11-10 at 03:14 -0600, Boyd Stephen Smith Jr. wrote:
> mentors.d.n seems to want a single GPG key.  I imagine that becoming a DD 
> would probably entail reducing my keys down to one (1) as well.  

No, it will require you to nominate one of your keys as the Debian key.
Take a look at my keys - one is clearly commented "(laptop key)" -
0xA897FD02 - and I cannot upload to Debian using that key. My main key
is the one on my desktop machine - 0x28BCB3E3.

Decide now which of your keys is going to be the most secure (i.e. the
secret key has only ever been on machines that haven't left your home).
All other keys are deemed "replaceable". All portable machines and all
"temporary" machines would only ever have one or more of these
replaceable keys.

I think two keys is a good arrangement for most Debian work because if
the laptop is stolen or lost, I can still sign notification messages
with my other key which has similar numbers of signatures on it and is
similarly strong in terms of the web of trust. It is in the nature of
laptops for them to be lost, so I use a "replaceable" key and keep
another key for my home system.

Check my emails in the archive, you'll find some signed by my main key
(this one) and some by my laptop key - depending on where I was at the
time.

> Unfortunately, I haven't found a good method for accessing a single private 
> key from the multiple computers I work in front of regularly.

Then don't. By all means copy the other secret keys around all your
machines so that you can decrypt stuff (and even sign using your less
secure keys on your secure machines) but keep your main key secure.

When you want to take your secure key with you for a specific purpose,
use: http://www.einval.com/~steve/docs/gpg-autofs.html

> Any suggestions on the best way to do that?  In particular I've considered a 
> USB key, but I'd like it to be automatically mounted in a consistent location 
> so my always-running-when-I'm-there gnupg-agent (and kgpg) can find it.

See link above.

Actually, what you might want is my adjustment of the link above that
allows me to continue signing stuff with my laptop key when using the
laptop and then on specific instances when I need the Debian key to
upload a package directly from the laptop (whilst at DebConf etc.), I
plug in my secure key and use it *only* to sign the package for upload,
then remove the card and revert to the laptop key.

-- 

Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- GPG Keys
  - From: "Boyd Stephen Smith Jr." <bss03@volumehost.net>

Prev by Date: Re: is statistical data extracted from web DFSG compliant?
Next by Date: debconf questions
Previous by thread: Re: GPG Keys
Next by thread: Re: GPG Keys
Index(es):
- Date
- Thread