Re: Multiple Keyrings WAS Signing multiple keys
On Sat, 27 Aug 2011 00:46, sand...@crustytoothpaste.net said: > dpkg-source would lose the ability to verify packages before unpacking > them. apt's archive verification would break. That doesn't include Wrong. It uses gpgv which is a verification only tool; is uses a list of trusted keys (i.e. the debian keyring). That is the simplest and most straightforward way for verification. I actually developed it for debian. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple Keyrings WAS Signing multiple keys
[some snippage] On 08/26/2011 14:29, Nicholas Cole wrote: > On Thu, Aug 25, 2011 at 7:21 PM, Doug Barton wrote: >>> BTW, this is another one of the reasons that I find the ability to have >> multiple keyrings useful, and would very much miss that functionality if >> it disappeared from gnupg 2.1. > > I know Warner has said all this before, but I sometimes think that too > few people chime in to say, "yes I agree". > > The problem with multiple keyrings is that they introduce all sorts of > corner cases and unpredictable, ambiguous behaviour. This not meant as an attack in any way, shape, or form; but I don't find "It's hard to do right" a compelling argument. The question is whether or not the effort to do it right is worth it relative to the benefits that using multiple keyrings brings. > And actually, > gpg itself is very quick at handling even very large keyrings. Apologies if I haven't made it clear that this isn't even close to being a factor for me. > I *do* see the uses for them. The debian keyring, for example is > huge, and it is useful to be able to selectively include it or not in > the gpg.conf file. But there more I've thought about this, the more I > think that it would be better just to have entirely separate gpg home > directories for this sort of purpose. > > For the case in question, there would be nothing to stop you having a > home directory made specifically for a key-signing party, for example, > importing your signing key into it and using it as your working > directory. '--homedir', not multiple keyrings, seems to me to solve > the problem addressed by multiple keyrings for almost all real-world > cases. That would (sort of) solve the problem of dealing with new keys from a keysigning party, but in other ways it makes things more complex as well (I know, I've tried it). So why do I care so much about multiple keyrings? Let me describe my setup. First the caveat (that I've already offered, but for completeness sake I will offer again). This is WAY more complex than the vast majority of users would need, want, or be able to work with; and I recognize that. But that being said ... I have the following keyrings: 1. My public keys 2. Keys that have signed my key (including cross signatures) 3. Keys that I have signed publicly 4. Keys that I have signed locally I always want to have these keys available, forever. Then in decreasing order of importance I also have: 5. Keys for important contacts 6. The FreeBSD project keyring 7. Keys used to sign software and other stuff that I care about 8. The keyring for the PGPNET and PGPMIMENET groups 9. My pubring 6 and 8 are interesting in this context because while I do strive to keep them up to date manually on a day-to-day basis it's really really easy (using a shell alias) to recreate them by downloading the key file and just creating a new ring with the same name as the old one. As for my pubring, I have the auto-key-retrieve option in gpg.conf so that when I'm reading mailing lists I don't have to be bothered about doing that manually. When it gets too bloated and/or full of wacky stuff I just do 'rm pubring.gpg~ && > pubring.gpg' then refresh what's left. When I go to a keysigning party I either add or create a keyring to represent the new keys, and then migrate them to the appropriate existing ring as I get/send signatures. As I already pointed out my script to generate challenge messages relies primarily on having a keyring to work with, although I did add functionality to do individual keys. Could I find ways to do all of this in a "one keyring to rule them all" world? Sure, with enough effort and creativity. But as Brian already pointed out I'm not the only one who has built functionality around the idea of multiple keyrings, and I suspect that there are a lot more use cases than ours. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple Keyrings WAS Signing multiple keys
On Fri, Aug 26, 2011 at 10:29:04PM +0100, Nicholas Cole wrote: > I *do* see the uses for them. The debian keyring, for example is > huge, and it is useful to be able to selectively include it or not in > the gpg.conf file. But there more I've thought about this, the more I > think that it would be better just to have entirely separate gpg home > directories for this sort of purpose. There is a lot of infrastructure in Debian that depends on the ability to have read-only keyrings using a command-line option. If that functionality were to disappear, somebody would patch it in because the breakage would be too great (and needless). If an additional option were required to use multiple keyrings, I would submit a patch to make it the default because otherwise it would break existing functionality. Besides the several different programs that handle key signing parties, dpkg-source would lose the ability to verify packages before unpacking them. apt's archive verification would break. That doesn't include dak, the Debian Archive Kit, which also uses GnuPG and would also break. I expect that most GNU/Linux distributions would also use those patches for the same reasons. Removing the capability from GnuPG would not have the effect of removing the functionality, but only on shifting the maintenance burden. > For the case in question, there would be nothing to stop you having a > home directory made specifically for a key-signing party, for example, > importing your signing key into it and using it as your working > directory. '--homedir', not multiple keyrings, seems to me to solve > the problem addressed by multiple keyrings for almost all real-world > cases. Creating a separate directory and populating it seems silly and wasteful, plus it prevents the storage of multiple, separate keyrings in one directory (like /usr/share/keyrings). If you would like to use the --homedir method, nothing is preventing you from doing that. But breaking existing infrastructure will go over like a lead balloon. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple Keyrings WAS Signing multiple keys
On Thu, Aug 25, 2011 at 7:21 PM, Doug Barton wrote: >> BTW, this is another one of the reasons that I find the ability to have > multiple keyrings useful, and would very much miss that functionality if > it disappeared from gnupg 2.1. I know Warner has said all this before, but I sometimes think that too few people chime in to say, "yes I agree". The problem with multiple keyrings is that they introduce all sorts of corner cases and unpredictable, ambiguous behaviour. And actually, gpg itself is very quick at handling even very large keyrings. I know that their removal would mean that some people have to adjust how they use gpg, but I am sure that the end of multiple keyrings would actually be for the best, and I think removing them is right thing to do. In fact, just as at the moment the handling of multiple files needs to be explicitly enabled, I would favour seeing an option to explicitly enable or disable multiple keyrings in the current versions, just because I think that unless users take particular care they can be harmful. I *do* see the uses for them. The debian keyring, for example is huge, and it is useful to be able to selectively include it or not in the gpg.conf file. But there more I've thought about this, the more I think that it would be better just to have entirely separate gpg home directories for this sort of purpose. For the case in question, there would be nothing to stop you having a home directory made specifically for a key-signing party, for example, importing your signing key into it and using it as your working directory. '--homedir', not multiple keyrings, seems to me to solve the problem addressed by multiple keyrings for almost all real-world cases. Best wishes, Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
