Group Membership Keyring

Nicholas Cole nicholas.cole at gmail.com
Wed Mar 23 22:12:13 CET 2011


On Wed, Mar 23, 2011 at 12:27 PM, Mike Acker <Mike_Acker at charter.net> wrote:
> I really liked the idea of having the Membership Secretary sign a Public
> Keyring for the Group Members and then to circulate that keyring to the
> membership.
>
> How to implement though, as members will need an additional keyring for
> each group they have a membership with.


Just to comment on this aspect of your proposal:

Debian, for example, does circulate a keyring file in this way.  But
managing multiple keyrings is not easy, and can lead to some nasty
corner-cases.  What if you are using multiple keyrings and different
versions of the same key exist on more than one keyring?

[ as an aside, I think there is a fairly good case that multiple
public keyring files are a menace rather than a help in most cases
because of this problem....  ]

It would probably be better for the membership secretary to circulate
a keyblock (i.e. the results of an --armor --export) containing the
members keys, which you could then import onto your own keyring.
Unless the group features many hundreds of members you should not
experience any noticeable slow-down at all.

Depending on the nature of your group there are two potential models:

- If memberships are renewed at regular intervals, the secretary can
simply sign all keys with signatures valid for the standard period of
membership and circulate the keyblock.

- If members enter and leave at different times, the membership
secretary will have to sign and revoke keys as appropriate (I'd still
put an expiry date on the signatures to be on the safe side) and
circulate the keys of all members who are current *or  former members*
(so that the revoked signatures are also circulated).

- As a refinement of the second option, if you make the signatures
only valid for a year, you would only need to circulate the keys of
former members for the period during which the original signature was
ever valid.

Best wishes,

Nicholas



More information about the Gnupg-users mailing list