Working with a system-shared keyring

Vlad "SATtva" Miller sattva at pgpru.com
Thu Aug 18 10:41:40 CEST 2011


Doug Barton:
> On 08/09/2011 02:38, Werner Koch wrote:
>> On Fri, 10 Jun 2011 20:43, dougb at dougbarton.us said:
>>
>>>> But fixes a lot of problems.  The keyring is a database and if we
>>>> distribute this database to several files without a way to sync them;
>>>> this leads to problems.  You may have not been affected by such problems
>>>> but only due to the way you use gpg.
>>>
>>> Can you elaborate on those problems? I can think of several examples
>>> of databases whose contents are stored in multiple files without any
>>> difficulty, so I'm curious.
>>
>> But in those cases the files are either under the control of the
>> database or partitioned using a well defined scheme.  With the --keyring
>> option this is different: You may add several keyrings to GnuPG and
>> remove them later.  There is no way GPG can tell whether there are
>> duplicates or which instances of a duplicated entry it needs to update.
>> Sure, we could make this working but I it will get really complex.  Thus
>> it is far easier to have one file or set of files which are under the
>> sole control of GPG.
> 
> Easier to code maybe. But I still maintain that losing the ability to
> have multiple keyrings will be a significant loss of functionality for
> the user. Significant enough for me that I would likely go back to the
> 1.4 branch (with regrets, since I like some of the functionality that is
> provided in 2.x now).

Same here. Maybe i'm missing something, but it seems without the ability
to have multiple keyrings in GPG configuration one will lose an ability
to use detached subkeys (or actually any private keys) stored on a
removable USB drive for example. Does smartcards become the only
approved and *supported* way for non-local storage of private keys?


-- 
Vlad "SATtva" Miller
3d viz | security & privacy consulting
www.vladmiller.info | www.pgpru.com




More information about the Gnupg-users mailing list