[clo-devel] regarding the provision of a PGP key in a project request

[Sean Champ]

Hello,

I have been mulling over how I might approach the distribution of some code
that I have intended would be publicly avaialble, and the distribution of some
project-locatable material that I consider as it being relevant in regards to
Common Lisp; though the latter material has not been made in coincidence
with software beside it, but I consider that it is likely to be made, as so.

While that is not what is the subject of this email, but I mean it as some
exposition.


I had noticed that the page http://common-lisp.net/project-intro.shtml , in
regards to a request for the registration of a project, includes an
explanation: That when one would request an allocation of resources for a
project at common-lisp.net, one must provide the public complement of a PGP
key pair, of which one's own would be the private key.


I've yet to have endeavored to have 'gotten' a key onto the Debian
keyring. Time ago, there had appeared to be a likely cause as that I would,
but it was not firstly pursued by me. Since then, the slime debian package has
been taken over by another maintainer, and developed in more. I am not certain
of what would be the premise on which I would endeavor to have a key
registered onto the Debian keyring, presently.


I am aware that there is an object referred to as a keyring, and that a
keyring can be utilized in cojunction with crypotgaphic systems, then in
conjunction with procedures for message signing, as in the case of GPG-signed
email. (I understand, wholly, it is my responsability, if I would endeavor to
undrestand how the mechanisms for such are supposed to operate, as when
operated across shell commands and such-and-such of conventional software
applications. I recognize that it is feasible that the mechanisms for such
would be operated, more directly than with shell commands, when operated in a
Common Lisp programming environment; perhaps a proposal for such might be more
fit to a common-lisp-crypsec list.)


While I hope that there will be opportunity to discuss how crypotgraphic
systems would be implemented in Common Lisp, but my first question would be:

In regards to the public GPG key that would be provided in a request for a
project, must that key have been registered in a public keyring?

and must the key be marked as to be 'trusted' of anyone?


(I realize, those questions might be redundant. If a key was available on a
public keyring, and if that keyring would be available as by way of a public
key service, then one could  send a description of the means by which the key
would be accessed of that key service, rather than having to send the key in
the mail, and rather than requiring the other to download the key, also via
internet email)


Separately, then, in a question addressed more directly onto to the operations
of a key system: I am wondering if the keyring provided at
http://common-lisp.net/keyring.asc would be able to contain key revocation
markers. (I am not aware of what is the internal structure of a keyring, but
that it would probably contain public keys for people)

Should it occur that the integrity of a private key would be violated, such
that that key would be the private complement to a public key that would have
been registered to the keyring at common-lisp.net, then oneself (and only the
person who provided the key) oneself should be able to mark that key as it
being invalid.

Thirdly, then, most directly: I would like to voice an inquiry, as for what
are the means by which a key added to that keyring would be marked as invalid
-- like, as for what would be the means by which a key revocation certificate
(?) would be delivered on a key made to that keyring, and verified as that it
was delivered by whom had delivered the original key. (I am assuming that that
would consittue the mechanism for it, to invalidate a key in that keyring).


Fourthly, a question: Regarding the public key that would be provided on a
project request, then if the project-request will be accepted, will that
public key be added onto the keyring at http://common-lisp.net/keyring.asc ? I
had assumed that it would be, but I should like to know, without assumption.

(Like, I am wondering about how the key would be used, as would be provided in
coincidence with the project-request.)



I know that the Debian development system includes the mechanism of a key
service. (I am not immediately sure of how it is interfaced, and how it is
operated, but I trust that they've documentation about it.) If I would have a
key registered onto that key service, I wonder if that might suffice, either
beside to or in lieu of that I would send a key, also, by email.


I am aware that to have a key trusted onto Debian development, I would have to
have that key marked as to be trusted, marked by someone who may verify my
identity, onto that key -- for example, someone at a local Linux Users Group,
and presumably, someone whom would already have a trusted public key.

(I am aware that there is a Free/Open Source Users Group, locally. My not
being much familiar with the group, however, I have been wary of trying to
find out how this would be approached, there -- how to get a key marked as
'trusted', there -- but I am certain that it may come to be worked out.)

That appears to be the end  of the questions I find cause to ask on  the
mater.


It is good to see if there are key systems being operated in regards to
projects at common-lisp.net.

I will admit that I have avoided bothering about email singing. Yet, taking
the matter seriously, I've grounds enough as to ensure a verification of
my identity on messages that I have sent. If personal email fraud is not
conventional, but it is possible; it might take something of a directed
attack, to pull off, but there is no cause to wait around for such.


If I have not made a matter sufficiently clear, in what I have endeavored to
address, above, then on inquiry, I may be glad to clarify. I would like to
avoid comment, however, as about why I would find cause to state such a
matter, explicitly.


I look forward to the prospect of hosting a project at Common-Lisp.net


Thank you

--
Sean Champ