On Thu, Nov 14, 2002 at 08:08:14PM -0500, harik at chaos.ao.net wrote: > On Thu, 14 Nov 2002, Matthew Toseland wrote: > > > > For getting the latest build? Please explain to me how we are supposed > > to keep a single SSK private key secure for all eternity? > > The same way you keep your PGP key secure. Don't Share. > > I'd suggest Web-of-Trust. Either internal to freenet or using PGP > keyservers. Sign a .JAR with a short-expiration key (on the order of > weeks or months) Sign that key with Ian's key. (Cross signed with > Oskar, Matthew, etc) Now we have a distribution key, known to one > person (The "distribution officer") with a short duration. Again, we need an in-freenet revocation mechanism in case something happens to the DO. And if we're going to have one, and revocation is likely to be rare, why not have the DO pubkey trusted indefinitely until revoked? > > It's not perfect (losing Ian breaks it) but we're not completly > dependant on the security AND availablity of fp.o. > > --Dan
-- Matthew Toseland toad at amphibian.dyndns.org amphibian at users.sourceforge.net Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20021115/277d9b12/attachment.pgp>
