Hash: SHA1

To answer some of my earlier questions, here is one specific way of doing it:

Tom Lane creates a PostgreSQL key, signing only, DSA, 1024 bits, that expires 
in 3 years. It ends up looking something like this:

pub  1024D/0BB10D1D 2003-02-07 PostgreSQL (PostgreSQL signing key) <[EMAIL PROTECTED]>

Tom keeps a close watch on the commits list and waits for a new version to be 
released. When the tarball is made, he checks it out and when satisfied, he 
signs it with the key. (Other people can look it over and verify it by referring 
to its sha1sum).

Once signed, the small text file that is created is mailed to the web group (or 
just posted to the list). Somebody adds it to the web page, and from there to all 
the mirrors. Tom keeps the key secure, preferably by not keeping it on a box connected 
to the net. He generates a revocation certificate and gives it to Bruce, who 
squirrels it away until needed. Tom signs the key with his own, and perhaps with 
other developers who have PGP keys. People meet Tom at the conferences, exchange keys, 
the Web of Trust grows, and all is good in the world again.

I chose Tom because he is part of the core and has (IMO) the best ability to 
detect problems in the source code and verify a final tarball.

It doesn't really matter who has the key, actually, as long as they are sufficiently 
careful/paranoid about keeping it safe and offline, and at least one person in 
the core group has the ability to revoke it in case of an emergency.

- --
Greg Sabino Mullane [EMAIL PROTECTED]
PGP Key: 0x14964AC8 200302071451

Comment: http://www.turnstep.com/pgp.html


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Reply via email to