On Mon, Jul 19, 2004 at 12:07:16PM -0700, D. Cooper Stevenson wrote: > > Let's do it again, but next time start with a presentation on how it > > works and what it's good for. Then do the keysigning (and keymaking) > > right after the presentation. > > I agree. I think all of this should go through Joseph, here are my > thoughts: > > It would be nice to provide for would-be PGP key owners a single place > where they could show up, be assigned a public/private PGP key pair, > have their keys published to a public key server, and have their public > keys authenticated. > > In effect, one would walk in with their required credentials, and walk > out with a valid PGP public/private key pair that's ready to use.
The problem with this is that you must trust that the machine on which you create the key is "safe" and that the machine, if it is not yours, has its contents eradicated upon completion. GnuPG rightly supports SUID operation in which it will even protect the memory it allocates on a multiuser system so that a non-root user may not read the RAM through some means while the program is in use.. Generally you create your own key. Unless you have a trusted computing device in your hands, it is impractical to learn about public key cryptography, learn the basics of GnuPG, create a key, and have it signed all in one go. I mean, I'm sure some of us who least need such a seminar could probably do it, but we have laptops with ssh connections to our own personal servers behind firewalls we trust because we built them. But then, our group is perfectly capible of reading the PGP intro document and the GnuPG manpage or digging my howto for GnuPG key creation out of euglug archives, so such a basic level seminar would be largely unnecessary, other than perhaps to discuss some of the best practices and justify the paranoia which created them. Probably the group who could create keys in one go like that would be more interested in the meta-discussion I was hoping to have at this keysigning about smart cards or USB keys or other external key storage devices which can be as physically secure as your person and theoretically quickly destoyed if the risk of it being compromised is great. (That's one of those bits of paranoia that most people would want justified, I'm sure.) _______________________________________________ EUGLUG mailing list [EMAIL PROTECTED] http://www.euglug.org/mailman/listinfo/euglug
