Subject: Re: release authentication
To: Simon Burge <>
From: Andrew Brown <>
List: tech-security
Date: 03/22/1999 00:25:36
>> The keys can either be the personal keys of the portmasters, or we can
>> generate new "role" keys for port-<foo> We should
>> endeavor to cross-sign the keys we use so that we have a solid "web of
>> trust."
>I'm not a great user of PGP - is it possible for more than one person
>(at a time, not collectively) to be able sign something with a given
>key?  For example, for the last pmax release I did the release builds,
>but am not the portmaster.

my guess would be that the portmasters would at least generate the
keys (and maybe get them signed by "core" keys?) and then make copies
of the public and secret pieces for others like you.  any number of
people can use a key for signing, provided you (a) have the secret
half and (b) know the passphrase.  you can even change the passphrase
if you like, after you get it (provided you know what it is in the
first place).  and, assuming that you have pgp installed somewhere and
that you already have your own key pair, then they can just email you
the key.  :)

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."