On Wed, Jan 15, 2020 at 07:12:36PM +0100, Enrico Zini wrote: > On Mon, Jan 13, 2020 at 05:03:50PM -0500, Daniel Kahn Gillmor wrote: > > > With the SKS network slowly dying, gpg not receiving third-party > > > certifications anymore by default and other changes to the ecosystem, > > > retrieving OpenPGP certificates and third-party certifications may be > > > harder in the future. > > > > > > It is simpler to let applicants provide a certificate themselves > > > directly. > > > > I endorse this suggestion :) > > > > I note that we shouldn't *require* users to upload their certificate > > necessarily. The change asked for here is just to make it possible for > > them to do the upload if they choose to. > > I like the sentiment, and I am slightly afraid of turning nm.debian.org > into the debian keyserver replacement. > > I mean, we could, but I'd like to figure out where we want to have the > authoritative source of key material for Debian. > > Here are various options that I can think of: > > - nm.debian.org, needs the data > - contributors.debian.org has a much more comprehensive user database > - keyring.debian.org primarily manages key material > - sso.debian.org is the authoritative user database > - the oncoming replacement of sso.debian.org will be the actual > authoritative user database > > I'd feel better having this information together with the authoritative > user database, which at this point in time would mean waiting for the > new SSO to be up, and then hooking into that somehow. > > Alternatively, having this information managed by the authoritative > team, which could mean keyring-maint providing a key upload service tied > to the new SSO. In this case, I don't mind helping to write the key > upload service for keyring-maint, if you want.
[wearing no hat other than operator of the keyserver in question]
Y'all are welcome to (and tell prospective contributors to) send keys to
the.earth.li, which is not SKS and still accepts third party
certifications. It does some limited signature verification which I'm
generally working to improve when time allows, but I think it's a
half-way house between what we current have (trust a failing keyserver
network to have the data) and what's being proposed (implement a very
specific service to suit our needs for retrieving 3rd party certs).
J.
--
"I'm not anti-establishment, I | .''`. Debian GNU/Linux Developer
just don't see the point." -- | : :' : Happy to accept PGP signed
Matthew Kirkwood, OxLUG mailing | `. `' or encrypted mail - RSA
list. | `- key on the keyservers.
signature.asc
Description: PGP signature
