[openstack-dev] [all] Key signing at the summit?

Thomas Goirand thomas at goirand.fr
Tue Nov 11 00:35:38 UTC 2014

On 10/28/2014 02:53 AM, Marty Falatic (mfalatic) wrote:
> I'm relatively new to the keysigning *event* concept - can
> someone give a little more detail on this and where it
> comes into play? Does anyone else use a service (e.g.,
> keybase.io) for this purpose?
>  - Marty Falatic

I would recommend *against* using a service like keybase.io (for any
purpose), which offers such a horrible feature as to upload your private
key. I'm well aware that you don't *have* to do that, but I just think
it's educating PGP users the wrong way.

A private key should be:
1/ Stored on a safe medium, for example on a dm-crypt partition on your
laptop (that's what I do), or on a smart card.
2/ Backed-up somewhere safe so that you can revoke it. For example, on a
gpg symetric password protected file, then store that file on a USB key
that you will put in a safe.
3/ Never be shared with anyone.

Uploading it to a website, and trusting them with it, is *never* a good
option, no mater what feature the site proposes. And I will never trust
a site that offers this kind of feature.


Thomas Goirand (zigo)

More information about the OpenStack-dev mailing list