[lists] Re: [clo-devel] Re: Please upload your public GPG key to common-lisp.net

Anthony Ventimiglia anthony at ventimiglia.org
Tue Nov 11 21:22:54 UTC 2003 

Marco Baringer writes:
 > Anthony Ventimiglia <anthony at ventimiglia.org> writes:
 > 
 > >  > 4) You'll need to specify the user id. The user id can not change (it
 > >  >    is infact encoded in the key) and should represent who (and in what
 > >  >    role) uses this key. As an example I have two keys, one is for me
 > >  >    personally and has my name and my regular email address, another
 > >  >    was created for the purpose of being a common-lisp.net developer,
 > >  >    and has my name but uses the mbaringer at common-lisp.net email
 > >  >    address.
 > >
 > > That's not right, You can associate multiple ID's with a single key,
 > > there is no need to generate separate keys for different email
 > > addresses. 
 > 
 > that's not quite what i meant. What i believe is that you should have
 > one key for each "role" you act, work, personal/family, open source
 > developer, porn star, etc.
 > 
 > If stuff is signed with my work key that means one thing (mainly that
 > I take "business" responsibility for what I'm saying), while stuff
 > i'll sign with the mbaringer at common-lisp.net key is going to be for a
 > very different public. but hey, that's just the way i see it.

Well the way you worded it made it seem like the UID could not change,
If we're planning on writing a text for folks who don't really know
gpg/pgp, we have to keep that in mind. 

I understand your point, but I don't agree with it. If I trust you
personally, I should trust you in your role at work, porn or
whatever. Having multiple keys to me seems like it would lead to a
hassle in key management, and ultimatley take away from the whole idea
of the "Web of trust" we are aiming for. In practice, I don't think
many people do it that way. 

Take Debian's model for example, in order to get onto the Debian
Keyring, you need to physically meet with another Debian developer,
show some form of ID and exchange public keys (this may not be the
only way, I've been out of the Debian loop for a while). Now let's say
the two of us meet, prove our identities to each other and exchange
public keys for our common-lisp.net addresses. Now if we both have one
key, I can be confident of who you are no matter what role you sign
something in, be it work, personal or porn star fluffer.

-- 
(incf *yankees-world-series-losses*)

More information about the clo-devel mailing list