[clo-devel] Re: Please upload your public GPG key to common-lisp.net

Nikodemus Siivola nikodemus at random-state.net
Fri Nov 7 13:27:03 UTC 2003


On Fri, Nov 07, 2003 at 07:35:34AM -0500, Erik Enge wrote:

> do we want the key to just sign (no password) or to sign and
> encrypt/decrypt (then we need a password, if I understand
> correctly)?

I hope that Kevin corrects me if I'm wrong, but...

It doesn't matter: the passphrase is required in any case: it
guarantees the integrity of the key.

Imagine: somehow the key gets stolen. Now the purveyor of the key can
sign stuff as Common-lisp.net, including keys of maliscious package
authors, which people will then install and run because the author's
key was trusted by Common-lisp.net...

Had the key been protected by a passphrase this would not have
happened.

Cheers,

 -- Nikodemus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://mailman.common-lisp.net/pipermail/clo-devel/attachments/20031107/07f9b2df/attachment.sig>


More information about the clo-devel mailing list