-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was thinking abut it (again)... but a little search avoided me a "duplicate" proposal... So I will answer to latest messages I can find about it, as I'm very interested in the thing.
- From message http://sources.redhat.com/ml/cygwin-apps/2002-07/msg00403.html >I think we could have the keyring (a document) on the mirror sites, >itself signed by Redhat's Software Signing Key (or CGF's personal key >for that matter). Having a keyring itself signed is not that useful: it doesn't add any "trust" in the gpg trust system. Here "trust" is the central thing... people can assume to trust the key contained in setup.exe, it would be hard otherways, but at least on the developer side more trust is needed IMHO: each mantainer's key should have "enough trust" in the eyes of RH (or CFG itself, doesn't change the point as far as I'm concerned). But how much trust is "enough"? Let's see what other approaches are using... only one that comes to my mind is the Debian package mantainership method: every mantainer needs a trusted key to upload a package. Let's see how Debian defines "trusted key"... more or less this way (I won't quote the exact message as I opened the italian page and I am now offline): a key is trusted if it is signed by a trusted key (with no limit on the number of "hops") or if the mantainer can send some form of photo-ID. But I can't see how a photo-ID can be _really_ trusted... but is out point to trust completely the association between the phisical person and the signing key? This could be good, but this is not strictly necesary: right now we're accepting packages just trusting the "From:" header of a mail... a thing that can't be trusted at all! In this perspective a scan of an aknowledged photo-ID should be a good start. Of course Debain's main method to authenticate new mantainers is to have them have their key signed by a previous mantainer, as their mantainers are quite a big number of people and are present in almost any country. I think that this method can be good enough also for us... I'm a bit paranoid about security but reality must be faced: it is impossible that every one of us meets CFG or a Red Hat guy. Well... the latter wouldn't be *so* difficult, if I'm not wrong there's a Red Hat building also in my city (Milano, Italy)... but I guess it's a sales office, not a developing center. Moreover I don't know how much cygwin is or must or can depend on redhat itself. (In case this could be accepatble I would willingly go phisically there to show my face and my ID card to some RH guy.) As a matter of fact we cuold use the existing Debianas a source of GPG trust: if we want to use a similiar system and we suppose that Debian has no "Evil Intentions" we can easily assume that a long-time Debian mantainer (with its own Debian-signed key) is enough (or more) trusted than we need. Looking forward for comments =) Lapo - -- Lapo 'Raist' Luchini [EMAIL PROTECTED] (PGP & X.509 keys available) http://www.lapo.it (ICQ UIN: 529796) -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPY8AsmiYgizI8lL7EQLvfgCg0fcDcacz2gg8VxFXbCjoMKfpqtwAoLNz i4M33ONDiDVIGvKUj9zfkAi9 =JzzD -----END PGP SIGNATURE-----