You can, of course, revoke signatures with GPG without a problem and then sign the distributions with it (at least as a detached signature). The installer could offer to check that signature by calling GPG but this is highly insecure (as anyone who replaced the binary would forge the call). What you really want is for people to check the signature themselves (with GPG/PGP).Oh yes it's all so simple we sign the webinstaller in fact we don't even need to do that we just insert it under an SSK. </sarcasm>. The problem is that we need to be able to revoke and/or update the signing key, otherwise a Bad Guy who got the key could destroy most of the network just by distributing compromized nodes.
--
Michael T. Babcock
CTO, FibreSpeed Ltd.
_______________________________________________
support mailing list
[EMAIL PROTECTED]
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support
