Consider self-hosting team PGP keys

[andrewdavidwong]

We already have keys.qubes-os.org, which is used to host some PGP keys. However, the Team page currently links to people's PGP keys on pgp.mit.edu. It might be a minor UX improvement to simply host all Qubes-related keys on keys.qubes-os.org.

[andrewdavidwong]

@marmarek: Any chance of this happening soon?

[andrewdavidwong]

@marmarek: Any chance of this happening soon?

[woju]

On Sat, Oct 15, 2016 at 03:19:51PM -0700, Andrew David Wong wrote:

@marmarek: Any chance of this happening soon?

@andrewdavidwonv Is it really a priority? I can do it of course (I manage
keys.q-o.o), but I won't remember to update those keys when needed.

If so, what should I put there? Just snapshots of whatever pgp.mit.edu says?

pozdrawiam / best regards .-.
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>

[woju]

On Sat, Oct 15, 2016 at 03:19:51PM -0700, Andrew David Wong wrote:

@marmarek: Any chance of this happening soon?

@andrewdavidwonv Is it really a priority? I can do it of course (I manage
keys.q-o.o), but I won't remember to update those keys when needed.

If so, what should I put there? Just snapshots of whatever pgp.mit.edu says?

pozdrawiam / best regards .-.
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>

[andrewdavidwong]

Is it really a priority?

Not a priority at all, which is why I haven't mentioned it for six months. 😄

I can do it of course (I manage keys.q-o.o), but I won't remember to update those keys when needed.

I don't think it should be your responsibility to update them. Rather, I think people should just get their their key to you whenever they want them updated.

If so, what should I put there? Just snapshots of whatever pgp.mit.edu says?

Whatever is currently linked on the Team page, IMHO.

[andrewdavidwong]

Is it really a priority?

Not a priority at all, which is why I haven't mentioned it for six months. 😄

I can do it of course (I manage keys.q-o.o), but I won't remember to update those keys when needed.

I don't think it should be your responsibility to update them. Rather, I think people should just get their their key to you whenever they want them updated.

If so, what should I put there? Just snapshots of whatever pgp.mit.edu says?

Whatever is currently linked on the Team page, IMHO.

[woju]

OK, so let's get it done.

https://keys.qubes-os.org/team/, just pulled from pgp.mit.edu. Joanna's keys are "joanna-email-itl.asc" from her page, though we may leave her link as is.

Didn't check them.

[woju]

OK, so let's get it done.

https://keys.qubes-os.org/team/, just pulled from pgp.mit.edu. Joanna's keys are "joanna-email-itl.asc" from her page, though we may leave her link as is.

Didn't check them.

[adrelanos]

Perhaps just link to https://www.whonix.org/patrick.asc ? Or copy the
file. That is supposed to always host my most recent key.

Or from here?
https://github.com/marmarek/qubes-builder-debian/blob/master/keys/whonix-developer-patrick.asc

(I am trying to avoid too many locations of my key to update in future.)

[adrelanos]

Perhaps just link to https://www.whonix.org/patrick.asc ? Or copy the
file. That is supposed to always host my most recent key.

Or from here?
https://github.com/marmarek/qubes-builder-debian/blob/master/keys/whonix-developer-patrick.asc

(I am trying to avoid too many locations of my key to update in future.)

[andrewdavidwong]

Is it too much trouble for everyone to have an additional place to have their keys updated? If so, we can just scrap this idea. (The only motivation for it was that we already have keys.qubes-os.org, and we already use it to host Qubes-related keys, so it seems like a natural step to host and link there instead of pgp.mit.edu, but pgp.mit.edu has the advantage of automatically syncing with other public keyservers, while keys.qubes-os.org does not.)

[andrewdavidwong]

Is it too much trouble for everyone to have an additional place to have their keys updated? If so, we can just scrap this idea. (The only motivation for it was that we already have keys.qubes-os.org, and we already use it to host Qubes-related keys, so it seems like a natural step to host and link there instead of pgp.mit.edu, but pgp.mit.edu has the advantage of automatically syncing with other public keyservers, while keys.qubes-os.org does not.)

[andrewdavidwong]

To add: It probably makes more sense to host things that are truly Qubes-specific, like Qubes release signing keys, on keys.qubes-os.org. People are not Qubes-specific, so it doesn't really make sense to duplicate our keys there. So perhaps this is a bad idea after all.

[andrewdavidwong]

To add: It probably makes more sense to host things that are truly Qubes-specific, like Qubes release signing keys, on keys.qubes-os.org. People are not Qubes-specific, so it doesn't really make sense to duplicate our keys there. So perhaps this is a bad idea after all.

[woju]

@andrewdavidwong, your decision :)

[woju]

@andrewdavidwong, your decision :)

[andrewdavidwong]

@woju: Ok, closing. Sorry for the trouble!

[andrewdavidwong]

@woju: Ok, closing. Sorry for the trouble!

[woju]

No problem. 😄 I removed that directory from keys.qubes-os.org, not to confuse anyone.

[woju]

No problem. 😄 I removed that directory from keys.qubes-os.org, not to confuse anyone.