Controlling Group Membership with PGP Keys
jerome at jeromebaum.com
Tue Mar 22 16:01:42 CET 2011
Mike Acker <Mike_Acker at charter.net> writes:
> Clearly the design of the PGP key and its trust model does not
> apprehend indicating Group membership
How about adding an identity: "Member of group X"?
pub 4096R/C58C753A 2010-12-28
uid Jerome Baum <jerome at jeromebaum.com>
uid Member of gnupg-users
You'd still have to manually check _who_ signed my member uid, to make
sure it's a group administrator, and timely revocation is an issue.
1. Group admin: Maybe we could add a config item that sets the
administrative key for a domain (by email part of uid) and only
trust signatures of that key when it comes to those domains? How
about a fake uid like those PayPal clones, e.g. "Member of
gnupg-users <jerome at gnpg-users>"? Why can't we use the WoT for this
kind of stuff (do I trust Alice to check before she signs a group
2. Revocation: At least now the revocation is semantically correct. I
revoke the signature stating "Jerome is a member of gnupg-users", but
I keep the signature stating "this key is really Jerome's". Timely
revocation is still an issue. I don't think you can set a preferred
key-server in a signature, can you? So we can use a (non-standard)
notation to designate that.
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 880 bytes
Desc: not available
More information about the Gnupg-users