On 10/03/2014 01:21 PM, Ben Laurie wrote: > On 3 October 2014 17:49, Tao Effect <[email protected]> wrote: >> On Oct 3, 2014, at 2:13 AM, Ben Laurie <[email protected]> wrote: >> Software holding the key monitors the log(s) for key changes. >> >> What software would that be (Apache? GPG?)? > > I can't answer that - it depends what system we're talking about, and > AFAICS we're not yet talking about a specific system, just an idea - but > the idea is that whatever software holds keys for users also monitors logs > on their behalf.
When i hear "holds keys", i usually think of holding the secret key
material. But when i think of the monitor, i see no reason why a
monitor needs access to the secret key material.
The monitor would want to know the public key material i want associated
with a particular identity (so it doesn't alert me falsely about my own
key), but that's it.
For example, I could set up my home server (which doesn't have access to
my secret key material for messaging purposes) to monitor for anyone
claiming that my messaging identity is bound to a different key.
These clarifications are probably obvious, but i think it's worth making
them explicit.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
