On Thu, Nov 14, 2002 at 08:08:14PM -0500, harik at chaos.ao.net wrote: > On Thu, 14 Nov 2002, Matthew Toseland wrote: > > > > For getting the latest build? Please explain to me how we are supposed > > to keep a single SSK private key secure for all eternity? > > The same way you keep your PGP key secure. Don't Share. It's not a matter of not sharing. It's a matter of how do you keep anything secure while it is connected to the public internet. Sooner or later the insertion computer will be compromized. If we piss people off, or get big, it will be sooner. > > I'd suggest Web-of-Trust. Either internal to freenet or using PGP > keyservers. Sign a .JAR with a short-expiration key (on the order of > weeks or months) Sign that key with Ian's key. (Cross signed with > Oskar, Matthew, etc) Now we have a distribution key, known to one > person (The "distribution officer") with a short duration. > > It's not perfect (losing Ian breaks it) but we're not completly > dependant on the security AND availablity of fp.o. > > --Dan
-- Matthew Toseland toad at amphibian.dyndns.org amphibian at users.sourceforge.net Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20021115/1b1a5aad/attachment.pgp>
