From mboxrd@z Thu Jan 1 00:00:00 1970 From: Keir Fraser Subject: Re: request to sign software Date: Tue, 30 Mar 2010 08:00:10 +0100 Message-ID: References: <4BB11706.5020301@invisiblethingslab.com> Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4BB11706.5020301@invisiblethingslab.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Joanna Rutkowska , Jeremy Fitzhardinge Cc: "xen-devel@lists.xensource.com" , Ian Jackson , Stephen Spector List-Id: xen-devel@lists.xenproject.org On 29/03/2010 22:09, "Joanna Rutkowska" wrote: > ...and then publish it on xen.org and sent to xen-devel. The list is > mirrored in a few places, so it would not be trivial for the attacker to > subvert the public key in all the public archives. Users can always use > more than one different internet connections to verify the key, to get > around potential compromise at an ISP level. > > This could be your "master key" and then you could simply sign other > keys (e.g. Jermey's, Keir's, etc) with this master key (simple gpg -s, > no certs, no web of trust, needed). I chatted with Ian Jackson about this, and our thought was to generate a xen.org master key which we would keep safe in Cambridge: only he and I would have copies of it (the two of us, for redundancy). We can also generate a software-signing key, signed by the master key, which we actually use for the business of signing releases from the xen-*.hg and qemu-xen-*.git repositories. We weren't sure it makes sense for Jeremy to sign anything since he's not actually making releases out of his repository. If we decide that Jeremy should sign things I think it best he makes his own key and we sign it with the master key. -- Keir