Re: kernel.org status: establishing a PGP web of trust

[H. Peter Anvin]

On 10/02/2011 11:39 AM, Willy Tarreau wrote:
> 
> I'm not opposed to generate a second key, but I don't really understand
> how it solves the isolation issue. I'm not used to key signing parties
> and am presently in the situation where I don't know whom to ping to
> sign my key. The only thing I could do was to sign it with my old key
> as you suggested in the initial mail on the subject :-/
> 
> So if at least generating a second key can save that hassle for next
> time, I'm all in favor of making it, it just takes a few seconds.
> 

The idea is that you have a key that you keep *extremely* secure.  When
you go to key signing parties you only bring the public key (for
verifying the fingerprint) but you don't sign keys until you're at your
secure host, for example.

That is the key you will use to establish yourself in the web of trust.
 The key you will actually *use* is a child key signed with that key,
and perhaps a handful of others.

That way, if your everyday key is compromised, you can still use your
secure key to sign the everyday key.  This alone will get you "marginal"
trust in the PGP web, which is good enough to get you new credentials.

	-hpa

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/