Re: New ftp layout

Hi Troels (<- is Troels your firstname or is it Arvin ?),

Troels Arvin wrote:
> On Fri, 03 Dec 2004 16:21:42 +0000, blacknoz wrote:
>
>
>>Why don't you /simply/ upload your key to a keyserver?
>
> I should and I will, some day, when I get around to it (my older keys
> were also on keyservers). But I'm not very fond of keyservers; there seems
> to be several, uncoordinated key server projects and it's not clear where
> to go. Also: There is no way to revoke a key if you don't haven't prepared
> for revocation. Yes, one _should_ prepare for revocation, but that might
> not be clear to the beginner (like it wasn't clear to me when I started
> using PGP), so the keyservers slowly become cluttered with useless public
> keys (like my first key for which I forgot the pass phrase).

Mostly agreed. But that's where I wanted to insist:
key signing is a bit complex from the organisational point of view
although it is technically "simple".
I believe that the upload to a keyserver helps/forces people to do the
things the right way and asking to themselves the good questions:
reading howtos, asking for advices before the first upload and so on...

If people just don't take care about it, they sign files but it's like
they missed all the interest of it... IMHO, thinking being protected by
technical tools is alway a bad thing if you didn't take time to
understand what they do and how you should be organised. Note that I'm
not saying you didn't understand it (reading your mail proves you fully
understand this and surely better than I do).

> At any rate, in my opinion, people should be able to use RPM signature
> verification of the files distributed by pgadmin without having to use
> key-servers. Thus, it's still relevant that downloaders are somehow
> instructed in how to get the needed keys for RPM verification.

Yes, agreed. You are right it may be interesting to distribute a keyring
/ text file with all our public keys.

> And gpg-signed files are easier to use than MD5 sums if you
> already have the relevant public keys in your keyring (especially when
> using RPMs which often have the signature embedded).

easier and especially with two different goals...

> <snip>
>
>>[...]
>>- your private key is protected (I mean not on a host on the net)
>
>
> So whenever I use my key, I have to copy the file to work on to a floppy
> disk and carry it to a host which has never been network-exposed? That
> doesn't sound very security-promoting to me.

No, I was refering to the 10th point of the key signing party howto [1]
where it is adviced to not permanently leave your .gnupg (or whatever
pgp software pub/priv key file you use) on a host accessible from the net.

> To sum up: I believe that signing of RPMs (and other types of signing) is
> of high practical use, and the pgadmin project should make use of it.

Did I tell I was against that? IIRC I was one of the first people to ask
Dave to sign the source tarballs. I was just underlying that it should
be done with all security concerns in mind.

Thank you for your answer, it was nice to learn why some of us don't use
keyservers. I'll think of it twice in the future. :)

Regards,
Raphaël
1. http://www.cryptnet.net/fdp/crypto/gpg-party.html