Subject: Re: adding gpg to src/gnu/dist
To: None <>
From: Love <>
List: tech-userlevel
Date: 05/17/2004 20:13:52

Marc Tooley <> writes:

> Am I missing something here? Is this a political decision and I'm just 
> mistaking it for a technical one?

I tried to make you (and other pgp people) answer some question I have
about pgp.

Message-ID: <>
Message-ID: <>

I'll try asking them again.

1. How does you solve the problem searching from the trust anchor too the
   signer ? Basicly, why should the user be required to fetch key from the
   keyserver, and if the user needs to fetch key from the keyserver, how is
   the user going to find the keys to fetch to verify a signature ?

2. How do you rewoke a certifiate, ie revoke what you do in gpg speak:
   "gpg --edit-key 0xHH\nsign\n...."

3. pgp provides identity, not what the key is supposed to do. sure, the
   sigature is supposed be just that, but pushing out policy from the CA
   with certifiates are quite useful.

   "all certs with code-signing oid is approved by netbsd
   core/foundation/developers/whatever to be signer of binary pkgs, you
   already trust netbsd ... by using our software"

   The question is, how do you intent to distribute policy ?

4. How is certifiates time limited, "Al is releng for a year now"

5. Code quality should not be used as argument when comparing gpg and
   openssl, neither of them is pretty inside.

6. I have the code written, including code for policy, where is yours ?
   You can handwave as much as you want, but unless there is working code,
   its all handwaving, and I don't thin handwaving should stop us from
   getting signed packages.

7. If you like pgp so much, why don't you use it to sign your mails ?


Content-Type: application/pgp-signature

Version: GnuPG v1.2.4 (NetBSD)