[TriLUG] TriLUG master pgp key

John Franklin franklin at elfie.org
Thu Jul 1 13:27:44 EDT 2004


On Thu, Jul 01, 2004 at 09:19:12AM -0400, Jeremy Portzer wrote:
> On Wed, 2004-06-30 at 18:04, John Franklin wrote:
> > Does TriLUG have a master PGP key?  That is, a PGP key that belongs to
> > the LUG itself which not only could be used for signing LUG-originated
> > documents, but would also provide a common path-of-trust for everyone in
> > the LUG (who bothers to cross sign with the LUG)?  It's the sort of
> > thing I would envision TriLUG cross-signing with other *UGs around the
> > world (especially as more and more of us wander off) to provide a
> > LUG-Web-Of-Trust.  It may mean that it is set to expire with each
> > election of a new SC and one member of the SC is designated the
> > Key Master.
> > 
> 
> One of the purposes of PGP/GPG in my book is that it links a key/e-mail
> address with a Real-Life Person.  That is, a humanoid with a first and
> last name, not a pseudonym or organization.  It's not really possible to
> "trust" an organization, only the people in it.  Therefore I wouldn't
> really see the need for such a key; why not just use the person's own
> key?

Some organizations, including US-CERT, have organization keys which are
separate from personal keys.  Orgs are legal entities, composed of
people, which is one more reason to expire the keys on an annual basis:
I know the current crowd.  In three years, who knows how many will have
moved on and how many newbies we'll have.

> Also, putting a lot of emphasis on a central key would make it a 'weak
> link' in a web of trust.  It's supposed to be a web, not a hub and spoke
> system.  (Plus, keys that expire are a pain, since you often have to get
> certifications [signatures] again).    I also don't know where the
> private key would be stored but I suppose that could be worked out.

The LUGs should encourage members to cross-sign with members from other
LUGs.   The LUGs should also get together from time to time to play each
other in softball or soccer or something and then get some root beers
afterwards.  But that's another thread.

Expired keys can still be checked, for as much as that's worth.
Besides, some decay in the web-of-trust is good.  It requires the trust
to be refreshed from time to time, which enhances the value of unexpired
trust.

> I do see the advantage of cross-signing with other LUG keys around the
> world, if such keys exist.  Do you have examples of this in use at other
> LUGs?

No, but someone has to start it.  And since TriLUG pops up on other LUGs
websites (e.g., [1]), plus members who have moved out and joined other
LUGs, we may set up a precedent and a web-of-trust among LUGs.

> Just MHO though.  Any others have thoughts?  Magnus?


[1] http://www.sclug.org.uk/pgp_signing.php

jf
-- 
John Franklin
franklin at elfie.org
ICBM: N37 12'54", W80 27'14" Z+2100'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040701/ce4ae03d/attachment.pgp>


More information about the TriLUG mailing list