[gentoo-dev-announce] Gentoo Authority Keys are deployed now for testing!

public inbox for gentoo-dev-announce@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-dev-announce] Gentoo Authority Keys are deployed now for testing!
@ 2019-04-13 19:37 Michał Górny
  0 siblings, 0 replies; only message in thread
From: Michał Górny @ 2019-04-13 19:37 UTC (permalink / raw
  To: gentoo-dev-announce; +Cc: gentoo-project

[-- Attachment #1: Type: text/plain, Size: 1969 bytes --]

Hi, everyone.

I'd like to announce that the experimental deployment of Gentoo
Authority Keys is now in place.  If someone would like to give them
a try, Wiki includes instructions for using them [1].

Authority Keys (as defined in GLEP 79 [2]) provide a simple, uniform way
of verifying OpenPGP keys belonging to Gentoo developers.  Long story
short, Infra runs a service that signs developer keys with a single key.
You import, verify and trust the key, and you get @gentoo.org UIDs of
all active Gentoo devs verified as a result.

The primary purpose of developer keys is to provide a better GnuPG-
friendly infrastructure for secure communication with developers.  It
can be used to verify signatures made by developers, and to encrypt mail
sent to them.  In this regard, it can be used in place of LDAP
(available only to Gentoo devs) or gentoo-keys seed files (which require
manual updates, and use custom file format).

Besides developer key signatures, Authority Keys also provide (manually
managed) signatures for other keys used by Infra.  Therefore, they
provide an alternative to manually verifying key fingerprints against
Gentoo website [3].

While technically right now the authenticity of Authority Keys can only
be verified against the website [3], I hope that users will start
signing them upon verifying, effectively making WoT-based verification
possible.  Once that happens, we will be able to stop relying on PKI.

Currently, the Authority Keys and signed developer keys are available
only on the experimental Gentoo keyserver (hkps://keys.gentoo.org). 
Once both mature a little bit, we should start syncing keys between
Gentoo keyserver and SKS, effectively increasing availability of this
service.

[1]:https://wiki.gentoo.org/wiki/Project:Infrastructure/Authority_Keys
[2]:https://www.gentoo.org/glep/glep-0079.html
[3]:https://www.gentoo.org/downloads/signatures/

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-04-13 19:37 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-13 19:37 [gentoo-dev-announce] Gentoo Authority Keys are deployed now for testing! Michał Górny

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox