On Thu, Jan 16, 2020 at 03:18:54PM -0500, Daniel Kahn Gillmor wrote: > On Wed 2020-01-15 21:40:38 +0000, Jonathan McDowell wrote: > > Y'all are welcome to (and tell prospective contributors to) send keys to > > the.earth.li, which is not SKS and still accepts third party > > certifications. It does some limited signature verification which I'm > > generally working to improve when time allows, but I think it's a > > half-way house between what we current have (trust a failing keyserver > > network to have the data) and what's being proposed (implement a very > > specific service to suit our needs for retrieving 3rd party certs). > > It looks to me like the only thing nm needs the keyserver for is a > placeholder for keys until they land in the debian keyring (or the > debian-maintainer keyring), at which point we can rely on > keyring.debian.org. > > right? > > if the applicant is expected to submit this key somehow, it seems > simpler to me to have them just submit it to nm directly with the rest > of the application (e.g. "here are 9 questions, one of them needs you to > paste your OpenPGP certificate") than to say "here are 8 questions; for > the 9th question, send your OpenPGP certificate to service X, and then > paste the fingerprint of the certificate here, and we'll reassemble it > from service X later".
Mostly my concern is about avoiding the effort of having to code the
bits of nm.d.o to accept keys from the applicant and forward them to
keyring-maint, and the piece on the keyring-maint side of automatically
putting the key into the repo (i.e as part of process-rt). If someone
else is saying they'll do all that work then I have no objections!
J.
--
It's more than good enough so I | .''`. Debian GNU/Linux Developer
ain't switch'n. | : :' : Happy to accept PGP signed
| `. `' or encrypted mail - RSA
| `- key on the keyservers.
signature.asc
Description: PGP signature
