On Thu, 14 Nov 2002, Matthew Toseland wrote:
> For getting the latest build? Please explain to me how we are supposed > to keep a single SSK private key secure for all eternity? The same way you keep your PGP key secure. Don't Share. I'd suggest Web-of-Trust. Either internal to freenet or using PGP keyservers. Sign a .JAR with a short-expiration key (on the order of weeks or months) Sign that key with Ian's key. (Cross signed with Oskar, Matthew, etc) Now we have a distribution key, known to one person (The "distribution officer") with a short duration. It's not perfect (losing Ian breaks it) but we're not completly dependant on the security AND availablity of fp.o. --Dan
msg05427/pgp00000.pgp
Description: PGP signature
