[openstack-dev] [all] Key signing at the summit?
ayoung at redhat.com
Tue Nov 11 04:55:59 UTC 2014
On 11/10/2014 07:35 PM, Thomas Goirand wrote:
> On 10/28/2014 02:53 AM, Marty Falatic (mfalatic) wrote:
>> I'm relatively new to the keysigning *event* concept - can
>> someone give a little more detail on this and where it
>> comes into play? Does anyone else use a service (e.g.,
>> keybase.io) for this purpose?
>> - Marty Falatic
> I would recommend *against* using a service like keybase.io (for any
> purpose), which offers such a horrible feature as to upload your private
> key. I'm well aware that you don't *have* to do that, but I just think
> it's educating PGP users the wrong way.
> A private key should be:
> 1/ Stored on a safe medium, for example on a dm-crypt partition on your
> laptop (that's what I do), or on a smart card.
> 2/ Backed-up somewhere safe so that you can revoke it. For example, on a
> gpg symetric password protected file, then store that file on a USB key
> that you will put in a safe.
> 3/ Never be shared with anyone.
> Uploading it to a website, and trusting them with it, is *never* a good
> option, no mater what feature the site proposes. And I will never trust
> a site that offers this kind of feature.
Um, yeah. What Zigo said.
> Thomas Goirand (zigo)
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
More information about the OpenStack-dev