Controlling Group Membership with PGP Keys

Jerome Baum jerome at
Tue Mar 22 16:01:42 CET 2011

Mike Acker <Mike_Acker at> writes:

> Clearly  the design  of  the PGP  key  and its  trust  model does  not
> apprehend indicating Group membership

How about adding an identity: "Member of group X"?

pub   4096R/C58C753A 2010-12-28
uid                  Jerome Baum <jerome at>
uid                  Member of gnupg-users

You'd still have  to manually check _who_ signed my  member uid, to make
sure it's a group administrator, and timely revocation is an issue.

1.  Group  admin:  Maybe we  could  add  a  config  item that  sets  the
    administrative  key for a  domain (by  email part  of uid)  and only
    trust signatures  of that  key when it  comes to those  domains? How
    about  a  fake  uid  like  those  PayPal  clones,  e.g.  "Member  of
    gnupg-users <jerome at gnpg-users>"? Why can't  we use the WoT for this
    kind of  stuff (do I trust Alice  to check before she  signs a group

2. Revocation:  At least now  the revocation is semantically  correct. I
   revoke the signature stating "Jerome is a member of gnupg-users", but
   I keep  the signature stating  "this key is really  Jerome's". Timely
   revocation is still  an issue. I don't think you  can set a preferred
   key-server in a  signature, can you?  So we  can use a (non-standard)
   notation to designate that.

PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 880 bytes
Desc: not available
URL: </pipermail/attachments/20110322/ecb676f9/attachment-0001.pgp>

More information about the Gnupg-users mailing list