Multiple Keyrings WAS Signing multiple keys

Doug Barton dougb at dougbarton.us
Sat Aug 27 02:25:48 CEST 2011 

[some snippage]

On 08/26/2011 14:29, Nicholas Cole wrote:
> On Thu, Aug 25, 2011 at 7:21 PM, Doug Barton <dougb at dougbarton.us> wrote:
>>> BTW, this is another one of the reasons that I find the ability to have
>> multiple keyrings useful, and would very much miss that functionality if
>> it disappeared from gnupg 2.1.
> 
> I know Warner has said all this before, but I sometimes think that too
> few people chime in to say, "yes I agree".
> 
> The problem with multiple keyrings is that they introduce all sorts of
> corner cases and unpredictable, ambiguous behaviour. 

This not meant as an attack in any way, shape, or form; but I don't find
"It's hard to do right" a compelling argument. The question is whether
or not the effort to do it right is worth it relative to the benefits
that using multiple keyrings brings.

> And actually,
> gpg itself is very quick at handling even very large keyrings.

Apologies if I haven't made it clear that this isn't even close to being
a factor for me.

> I *do* see the uses for them.  The debian keyring, for example is
> huge, and it is useful to be able to selectively include it or not in
> the gpg.conf file.  But there more I've thought about this, the more I
> think that it would be better just to have entirely separate gpg home
> directories for this sort of purpose.
> 
> For the case in question, there would be nothing to stop you having a
> home directory made specifically for a key-signing party, for example,
> importing your signing key into it and using it as your working
> directory.  '--homedir', not multiple keyrings, seems to me to solve
> the problem addressed by multiple keyrings for almost all real-world
> cases.

That would (sort of) solve the problem of dealing with new keys from a
keysigning party, but in other ways it makes things more complex as well
(I know, I've tried it).

So why do I care so much about multiple keyrings? Let me describe my
setup. First the caveat (that I've already offered, but for completeness
sake I will offer again). This is WAY more complex than the vast
majority of users would need, want, or be able to work with; and I
recognize that. But that being said ...

I have the following keyrings:

1. My public keys
2. Keys that have signed my key (including cross signatures)
3. Keys that I have signed publicly
4. Keys that I have signed locally

I always want to have these keys available, forever.

Then in decreasing order of importance I also have:

5. Keys for important contacts
6. The FreeBSD project keyring
7. Keys used to sign software and other stuff that I care about
8. The keyring for the PGPNET and PGPMIMENET groups
9. My pubring

6 and 8 are interesting in this context because while I do strive to
keep them up to date manually on a day-to-day basis it's really really
easy (using a shell alias) to recreate them by downloading the key file
and just creating a new ring with the same name as the old one.

As for my pubring, I have the auto-key-retrieve option in gpg.conf so
that when I'm reading mailing lists I don't have to be bothered about
doing that manually. When it gets too bloated and/or full of wacky stuff
I just do 'rm pubring.gpg~ && > pubring.gpg' then refresh what's left.

When I go to a keysigning party I either add or create a keyring to
represent the new keys, and then migrate them to the appropriate
existing ring as I get/send signatures. As I already pointed out my
script to generate challenge messages relies primarily on having a
keyring to work with, although I did add functionality to do individual
keys.

Could I find ways to do all of this in a "one keyring to rule them all"
world? Sure, with enough effort and creativity. But as Brian already
pointed out I'm not the only one who has built functionality around the
idea of multiple keyrings, and I suspect that there are a lot more use
cases than ours.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

More information about the Gnupg-users mailing list