Multiple Keyrings WAS Signing multiple keys
Nicholas Cole
nicholas.cole at gmail.com
Fri Aug 26 23:29:04 CEST 2011
On Thu, Aug 25, 2011 at 7:21 PM, Doug Barton <dougb at dougbarton.us> wrote:
>> BTW, this is another one of the reasons that I find the ability to have
> multiple keyrings useful, and would very much miss that functionality if
> it disappeared from gnupg 2.1.
I know Warner has said all this before, but I sometimes think that too
few people chime in to say, "yes I agree".
The problem with multiple keyrings is that they introduce all sorts of
corner cases and unpredictable, ambiguous behaviour. And actually,
gpg itself is very quick at handling even very large keyrings.
I know that their removal would mean that some people have to adjust
how they use gpg, but I am sure that the end of multiple keyrings
would actually be for the best, and I think removing them is right
thing to do.
In fact, just as at the moment the handling of multiple files needs to
be explicitly enabled, I would favour seeing an option to explicitly
enable or disable multiple keyrings in the current versions, just
because I think that unless users take particular care they can be
harmful.
I *do* see the uses for them. The debian keyring, for example is
huge, and it is useful to be able to selectively include it or not in
the gpg.conf file. But there more I've thought about this, the more I
think that it would be better just to have entirely separate gpg home
directories for this sort of purpose.
For the case in question, there would be nothing to stop you having a
home directory made specifically for a key-signing party, for example,
importing your signing key into it and using it as your working
directory. '--homedir', not multiple keyrings, seems to me to solve
the problem addressed by multiple keyrings for almost all real-world
cases.
Best wishes,
Nicholas
More information about the Gnupg-users
mailing list