Discuss and implement PGP support.

[dpc]

I am a heavy GPG user, and I belive it's a PITA for a mass audience. But it's almost the only game in town for hardware keys support, so security-minded people will probably want to use that.

GPG support is not implemented, but can be added at later time.

The identity would look like this:

from:
  id-type: pgp
  id:  4488680DA3CF5F2B4756ED873D23EC2392F2EDE7
  url: "https://github.com/someuser/crev-proofs"

The exported public key will be embedded into git repo somewhere.The pgp WoT won't be involved at all here: just 1:1 match between the ID and gpg identity to use to check the signatures against.

Also, review timestamp should be checked to within time of life of a PGP identity.

When the PGP key goes out of life, the author will just create a new one, and set the trust to the old one as high.

It should be fairly straightforward to add, but it is not high on my personal priority list.

[stevenroose]

I think it makes sense to reuse existing key infrastructure like PGP yes. Though trusting a PGP identity should of course not be equal to trusting his code reviews ;)

[dpc]

@stevenroose Yes. GPG's WoT is completely out of the picture for Crev. WoT-s between GPG and Crev serve different purposes: confirming that underlying identity is true vs trusting someones code reviews.

[stevenroose]

But that doesn't take away the utility of using PGP identities for crev, though.

[dpc]

I have created this ticket for a reason. I'm not disputing utility of supporting PGP. 😎