Re: PATCH: Less fragile lookup of gpg key

["Greg A. Woods" <woods@planix.com>]

[-- Attachment #1: Type: text/plain, Size: 2807 bytes --]

At Mon, 3 May 2010 07:16:55 -0400, Theodore Tso <tytso@MIT.EDU> wrote:
Subject: Re: PATCH:  Less fragile lookup of gpg key
> 
> On May 2, 2010, at 8:59 PM, Greg A. Woods wrote:
> > 
> > You can of course have more than one e-mail address per key, but you
> > should NEVER have more than one key per e-mail.
> 
> This is pretty common actually.  At the very least it will happen if
> people are trying to transition between an older and a newer key ---
> for example, if they are trying to move from a less secure crypto
> algorithm to a more secure crypto algorithm.

As I understand things the best way to manage these kinds of things is
to use sub-keys.  You can change the expire time on a sub-key, and then
eventually you can revoke it, all the while preserving your one primary
public key for signing.  Indeed it's a good idea to regularly change
your sub-key and expire the older ones.

Any time I've ever encountered anyone with more than one published key
associated with any given e-mail address, confusion has inevitably
ensued.

Normally the only time I've ever seen anyone end up with multiple
published keys associated with the same e-mail address it has happened
when they have accidentally lost their private key somehow and therefore
they were unable to revoke it properly.

If you must regenerate your primary public key, and you have control of
your old public key then the right thing to do is to set the old one to
expire ASAP, and/or to revoke it, upon generating a new one, then
publish the updates together.  This way there doesn't have to be any
window of confusion.

So, as Grant Olson has also explained, publishing multiple keys with the
same e-mail address in one of their UIDs (even if the entire UID is not
identical), is only for advanced users who are willing to deal with the
exceptional usage that results.  Not all Git users are advanced users
who will be willing and/or able to deal with these issues.

Meanwhile the original problem here appears to me to be that Git
effectively encourages use of multiple valid keys that may have the same
e-mail address attached to multiple key-IDs.

If I understand correctly from the GnuPG documentation, the desired way
to search for a key has a very well defined algorithm based on the
syntax identifying the format of the "key".  I think Git should use that
same algorithm at minimum, but by default if there's no hint based on
the expressed syntax of the key given it should follow the example of
most/all(?) MUA interfaces to PGP, which if I'm not mistaken is to
search by exact match of the e-mail address stripped of any display name
and all comments.

-- 
						Greg A. Woods
						Planix, Inc.

<woods@planix.com>       +1 416 218 0099        http://www.planix.com/

[-- Attachment #2: Type: application/pgp-signature, Size: 186 bytes --]