Advice for Web of Trust policy
dany_list at natzo.com
Sun Feb 20 01:19:49 CET 2005
I've been playing around with the OpenPGP card and I'm now ready to go
live. I'd like to get into the web of trust but I don't know which way
to go :
1) Like most GnuPG users, dedicated off-line signing key for signing
other people's keys and my subkeys
- not connected... that says all!
- doesn't prevent from keyboard logger (passphrase)
- signing key can be physically duplicated (brute force attack possible)
2) OpenPGP card for both signing and encrypting
- One card for both web of trust and everyday's encryption/signing
- Not easy to duplicate key's secret material (but not impossible though ;))
- No complex passphrase to rememeber + automatic lock-down after 3 attempts
- Easier to use with services like biglumber.com because the signing key
is linked to an email address and also has an encryption subkey. Some
people will only give you a cert level 2 if the key is only a signing key.
- Card is going to be used on a machine connected to the Internet.
How is my policy (single OpenPGP card for everything) going to be
accepted by the community ?
Is this going to be seen as a threat to the web of trust ?
Maybe I can get the advantage of 1) by only signing other people's keys
with OpenPGP SmartCard, a LiveCD and no network)
Thanks for your feedback
More information about the Gnupg-users