Keys not trusted
Fri May 16 15:19:02 2003
David Shaw, on Thu, May 15 2003 at 23:06, wrote:
> On Sat, May 10, 2003 at 10:27:47AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> > I have a little script that just presents me with 5 random keys. I
> > then delete those where I don't recognize the name (either from
> > mailing lists, or privately) - I do this more or less weekly
> > (sometimes less). It's far from perfect, but I don't want to go
> > through the whole keyring. Of course I occasionally delete a key
> > that is then downloaded again when I read mail, but as those aren't
> > people I know, I don't think this is a problem.
> Another trick that you can use is to have more than one public
> keyring. Some people have one keyring that contains the keys they
> know personally or have signed, and a larger keyring that
I use this setup (at least I'm experimenting with it).
A secret keyring, revokation certs, etc. stored offline, a copy of the
secret keyring on floppy with the primary secret key striped (only with
subkeys), and no (empty) secret keyring on connected machines, with the
following gpg.conf options:
keyserver-options auto-key-retrieve ...
And with a /floppy/pubring.gpg with only those keys (locally/ultimately)
And when I need to work on the floppy keyring, just use
"gpg --homedir /floppy" (I have a shell alias for it) and/or
"--no-default-keyring". And with autofs, I ever don't bother with
mounting/umounting the floppy (it's a ext2fs; I refer here to a floppy
for simplicity, but in fact is any removable media).
> auto-key-retrieve imports into. Then, they can just quickly blast
> through the larger automatic keyring every now and then without
> accidentally losing an important key.
A related question: there is some tool/script/whatever to automatically
prune from the keyrings those keys with only self-signatures, or some
way to list them (and only them) with gpg?
Manuel Samper OpenPGP Key ID: FFFD5DA0