From: "H. Peter Anvin" <hpa@zytor.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: kernel.org status: establishing a PGP web of trust
Date: Fri, 30 Sep 2011 16:50:37 -0700 [thread overview]
Message-ID: <4E8655CD.90107@zytor.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
Since the kernel.org status announcement last week a number of you
have contacted me about re-establishing credentials. In order to
establish a proper PGP web of trust we need keys that are cross-signed
by other developers. As such, we ask that you follow the following
steps:
1. Make sure your systems are uncompromised. We will address specific
recommended steps for that in a separate email.
2. Create a new PGP/GPG key, and also generate a key revocation
certificate (but don't import it anywhere -- save it for the
future) for your new key. In the near future we are considering
setting up an escrow service for key revocation certificates.
I recommend using a 4096-bit RSA key. Given how fast computers are
these days, there is no reason to use a shorter key. DSA keys
should be considered obsolete; substantial weaknesses have been
found in DSA.
$ gpg --gen-key
$ gpg -u <key ID> -o <key ID>.revoke --gen-revoke
3. If you are reasonably certain that your old key has never been
jeopardized, sign the new key with the old key.
$ gpg -u <your old key ID> --sign-key <your new key ID>
If you are *not* sure about your old keys, please revoke them if
you haven't already done so (create a revocation certificate and
import it into your keyring, then push the key to the key servers.)
$ gpg -u <your old key ID> -o <your old key ID>.revoke --gen-revoke
$ gpg --import <your old key ID>.revoke
$ gpg --keyserver pgp.mit.edu --send-key <your old key ID>
4. Upload the signed keys to the keyserver system (I usually use
pgp.mit.edu, but most of the keyservers sync with each other with
roughly a 24-hour delay.) By publishing the keys we make them
available not only to kernel.org but for other uses, like signing
email, and you can verify yourself by looking at http://pgp.mit.edu/
if there is someone out there who has published a key with your name
on it. Furthermore, it allows us to tap other webs of trust already
established.
$ gpg --keyserver pgp.mit.edu --send-key <your key ID>
5. Get as many other kernel developers that you have physical access to
to sign your key after verifying the fingerprint. Verifying keys
over the phone is OK if and only if you know them *extremely* well;
think "would I be willing to testify in court that the person I
talked to was X"?
If you work in an office with multiple other Linux developers, it
would be a very good thing to organize a local key signing. We will
do a key signing at Kernel Summit for the core kernel developers.
A web site with recommendations for running a key signing:
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
$ gpg --fingerprint <key ID>
$ gpg --keyserver pgp.mit.edu --recv-key <their key ID>
$ gpg -u <your key ID> --sign-key <their key ID>
$ gpg --keyserver pgp.mit.edu --send-key <their key ID>
$ gpg --keyserver pgp.mit.edu --recv-key <your key ID>
6. Please send me the key identifier and fingerprint to
<keys@zytor.com>. This is a temporary address until the kernel.org
MX is ready to put back online; eventually we will probably have a
web form interface for this.
-hpa
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJOhlXFAAoJEL2gYIVJO6zkc7MP/2Qb6iOGCMEd3ncV8N9Znqsf
nPYnjS7Eo8EafbC5A/Pe5UaqzVw3UrWAewTENUaNndXuTDRYhvt2SeQEbASpCTfG
Wr0WPzcrrnIOhJDk9WyLUIE+wR52Alq/EYmiRBDBNJmNqwo7SgXVpyDqMvLeH9IH
LCey68XfQ2WrD25p3a3zmi5woGuluQsUVYNJCB0yC1RpESJDO6GNx+tUWWR6kRk1
GmaUs0qrx9nHrycQZIq1pga3v/uxSvxr7pYAvLMLvl0pCFE+GbQ+wCMqpddOTA0/
0d5QVRqL1neCMGYUm+9Ff3AzzyaqTKHPOm6grnUp+M73+3FJIMzr3BOEIJnusJA5
vDPjHl8j3+LJXeTNNp3V/pmM89uc9vWjdyRoMyeufN2simC07csxh8E8s35hz3gj
z6tdch9ygHJt1rS3XuJva9p5kNm0ptMtbF1wWzJCci8Lo7iiMoj0GECyeIzvEbic
qG6sUfgIORGe3OH8MPCdmn2BY1y0Rz6rD05s1nZOBxOoYihrtDrnNC5MJl4+lvTW
7fzTFVzbjQO7Ybu/PqLeAJ4ieTFflbp4j7dI9dTKxHfTKQ+NT1YgiRpS7gcZeDhS
YmVKMmN5QpxFqMYhr9gc2S/6iYwRTP1juWMf0bxP9xiY/SaBhW8XrpyxE85svc+o
9j39P8QGHPb35HQ2HPgn
=PdWd
-----END PGP SIGNATURE-----
next reply other threads:[~2011-09-30 23:50 UTC|newest]
Thread overview: 188+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-30 23:50 H. Peter Anvin [this message]
2011-09-30 23:59 ` kernel.org status: hints on how to check your machine for intrusion Greg KH
2011-10-01 1:15 ` David Miller
2011-10-01 4:54 ` Greg KH
2011-10-01 7:35 ` Willy Tarreau
2011-10-01 14:07 ` Greg KH
2011-10-01 18:06 ` Steven Rostedt
2011-10-01 18:13 ` David Miller
2011-10-01 18:29 ` Steven Rostedt
2011-10-01 18:34 ` Willy Tarreau
2011-10-01 21:23 ` Henrique de Moraes Holschuh
2011-10-01 21:30 ` Henrique de Moraes Holschuh
2011-10-03 9:28 ` Maarten Lankhorst
2011-10-01 18:40 ` Steven Rostedt
2011-10-01 18:45 ` Steven Rostedt
2011-10-03 9:47 ` gmack
2011-10-01 22:06 ` Frank A. Kingswood
2011-10-03 9:49 ` gmack
2011-10-01 14:17 ` akwatts
2011-10-01 14:28 ` Greg KH
2011-10-01 16:29 ` Andy
2011-10-01 16:56 ` Willy Tarreau
2011-10-01 17:19 ` Andy
2011-10-01 17:54 ` Andreas Schwab
2011-10-01 22:32 ` H. Peter Anvin
2011-10-01 17:54 ` Willy Tarreau
2011-10-01 18:40 ` Andy
2011-10-01 19:06 ` Willy Tarreau
2011-10-01 19:24 ` Greg KH
2011-10-01 20:07 ` Willy Tarreau
2011-10-01 20:29 ` Andreas Schwab
2011-10-01 20:32 ` Willy Tarreau
2011-10-01 20:24 ` Andy
2011-10-01 22:43 ` Willy Tarreau
2011-10-02 0:10 ` H. Peter Anvin
2011-10-02 5:35 ` Willy Tarreau
2011-10-02 1:58 ` tmhikaru
2011-10-02 2:26 ` Greg KH
2011-10-02 3:30 ` Andy
2011-10-02 4:39 ` Greg KH
2011-10-02 6:59 ` Willy Tarreau
2011-10-02 12:03 ` Andy
2011-10-02 18:27 ` Willy Tarreau
2011-10-11 1:16 ` Andrew Watts
2011-10-02 3:31 ` tmhikaru
2011-10-07 9:28 ` Andrea Arcangeli
2011-10-13 2:34 ` Re " Matthew W.S. Bell
2011-10-13 10:59 ` Matthew W.S. Bell
2011-10-18 15:13 ` Jean Delvare
2011-10-18 15:21 ` Greg KH
2011-10-18 16:08 ` Jean Delvare
2011-10-01 14:05 ` kernel.org status: establishing a PGP web of trust Greg KH
2011-10-01 22:07 ` Rafael J. Wysocki
2011-10-01 22:26 ` Greg KH
2011-10-02 23:02 ` Nobuhiro Iwamatsu
2011-10-02 23:09 ` Greg KH
2011-10-03 9:14 ` Steven Rostedt
2011-10-03 14:13 ` Greg KH
2011-10-03 15:09 ` Steven Rostedt
2011-10-01 21:33 ` Rafael J. Wysocki
2011-10-01 22:27 ` H. Peter Anvin
2011-10-01 22:36 ` Randy Dunlap
2011-10-01 22:52 ` Ted Ts'o
2011-10-02 1:04 ` Rafael J. Wysocki
2011-10-02 1:04 ` H. Peter Anvin
2011-10-02 11:54 ` Rafael J. Wysocki
2011-10-02 17:53 ` H. Peter Anvin
2011-10-02 18:14 ` Rafael J. Wysocki
2011-10-02 18:19 ` H. Peter Anvin
2011-10-02 18:39 ` Willy Tarreau
2011-10-02 19:02 ` H. Peter Anvin
2011-10-02 19:24 ` Willy Tarreau
2011-10-02 19:29 ` Rafael J. Wysocki
2011-10-02 18:24 ` Henrique de Moraes Holschuh
2011-10-02 18:31 ` H. Peter Anvin
2011-10-02 19:31 ` Rafael J. Wysocki
2011-10-02 20:42 ` Henrique de Moraes Holschuh
2011-10-03 9:32 ` Adrian Bunk
2011-10-03 16:28 ` Frank Ch. Eigler
2011-10-03 18:04 ` Adrian Bunk
2011-10-04 20:29 ` Valdis.Kletnieks
2011-10-04 22:39 ` Adrian Bunk
2011-10-04 23:17 ` Frank Ch. Eigler
2011-10-05 4:37 ` Valdis.Kletnieks
2011-10-05 7:54 ` Adrian Bunk
2011-10-05 17:06 ` Ted Ts'o
2011-10-05 19:23 ` Adrian Bunk
2011-10-05 19:50 ` Adrian Bunk
2011-10-05 20:09 ` Greg KH
2011-10-05 21:25 ` Adrian Bunk
2011-10-05 23:47 ` Ted Ts'o
2011-10-06 7:16 ` Adrian Bunk
2011-10-05 23:57 ` Thomas Gleixner
2011-10-06 0:07 ` Jeremy Fitzhardinge
2011-10-06 0:18 ` Chris Friesen
2011-10-06 7:30 ` Thomas Gleixner
2011-10-06 17:19 ` Valdis.Kletnieks
2011-10-06 8:04 ` Adrian Bunk
2011-10-06 10:22 ` Thomas Gleixner
2011-10-06 11:10 ` Adrian Bunk
2011-10-06 11:05 ` Josh Boyer
2011-10-06 11:19 ` Adrian Bunk
2011-10-05 4:23 ` Valdis.Kletnieks
2011-10-05 20:00 ` Arnaud Lacombe
2011-10-05 20:19 ` Adrian Bunk
2011-10-05 20:36 ` Arnaud Lacombe
2011-10-05 23:55 ` Greg KH
2011-10-06 0:23 ` Arnaud Lacombe
2011-10-06 0:50 ` Arnaud Lacombe
2011-10-06 5:25 ` Greg KH
2011-10-06 13:44 ` Valdis.Kletnieks
2011-10-06 14:43 ` Arnaud Lacombe
2011-10-06 10:05 ` Alan Cox
2011-10-06 17:05 ` Krzysztof Halasa
2011-10-06 15:58 ` Jon Masters
2011-10-06 17:39 ` Mark Brown
2011-10-06 17:45 ` Krzysztof Halasa
2011-10-06 17:52 ` Mark Brown
2011-10-06 17:48 ` Greg KH
2011-10-06 18:08 ` H. Peter Anvin
2011-10-06 18:14 ` H. Peter Anvin
2011-10-06 19:50 ` Valdis.Kletnieks
2011-10-06 22:16 ` Krzysztof Halasa
2011-10-07 16:29 ` Valdis.Kletnieks
2011-10-07 16:59 ` Greg KH
2011-10-07 16:59 ` Arnaud Lacombe
2011-10-07 18:22 ` Valdis.Kletnieks
2011-10-08 5:02 ` Jon Masters
2011-10-08 14:36 ` Valdis.Kletnieks
2011-10-08 15:28 ` Geert Uytterhoeven
2011-10-08 15:48 ` Krzysztof Halasa
2011-10-08 17:59 ` Jon Masters
2011-10-08 21:06 ` Krzysztof Halasa
2011-10-08 21:09 ` H. Peter Anvin
2011-10-09 3:01 ` Jon Masters
2011-10-08 15:44 ` Krzysztof Halasa
2011-10-08 15:16 ` Krzysztof Halasa
2011-10-05 19:43 ` Arnaud Lacombe
2011-10-02 18:36 ` Randy Dunlap
2011-10-02 22:46 ` Valdis.Kletnieks
2011-10-02 23:16 ` Josh Boyer
2011-10-03 0:24 ` H. Peter Anvin
2011-10-02 22:54 ` Guenter Roeck
2011-10-02 22:58 ` H. Peter Anvin
2011-10-02 23:23 ` Olof Johansson
2011-10-02 23:27 ` H. Peter Anvin
2011-10-03 0:44 ` Jeremy Fitzhardinge
2011-10-03 1:00 ` Guenter Roeck
2011-10-03 1:00 ` Dmitry Torokhov
2011-10-03 1:09 ` Ted Ts'o
2011-10-03 1:21 ` Jeremy Fitzhardinge
2011-10-03 1:22 ` H. Peter Anvin
2011-10-03 1:42 ` Andrew Morton
2011-10-03 1:43 ` H. Peter Anvin
2011-10-03 3:15 ` Geoff Levand
2011-10-03 3:29 ` Ted Ts'o
2011-10-03 3:38 ` Dmitry Torokhov
2011-10-03 3:54 ` Ted Ts'o
2011-10-03 4:02 ` Andrew Morton
2011-10-03 4:33 ` Ted Ts'o
2011-10-03 0:43 ` Lee Mathers
2011-10-03 9:53 ` Jonathan Cameron
2011-10-04 22:34 ` Ralf Baechle
2011-10-05 19:12 ` Maciej W. Rozycki
2011-10-06 13:27 ` Cambridge, UK key signing meeting. Thursday 13th Oct Jonathan Cameron
2011-10-11 16:33 ` Jonathan Cameron
2011-10-02 18:20 ` kernel.org status: establishing a PGP web of trust Henrique de Moraes Holschuh
2011-10-03 1:18 ` Ben Pfaff
2011-10-03 1:49 ` H. Peter Anvin
2011-10-03 11:19 ` Jiri Kosina
2011-10-03 22:56 ` Josh Triplett
2011-10-04 4:49 ` Ted Ts'o
2011-10-04 4:52 ` H. Peter Anvin
2011-10-04 5:11 ` Ted Ts'o
2011-10-04 16:37 ` H. Peter Anvin
2011-10-04 7:15 ` Jiri Kosina
2011-10-04 19:23 ` Rafael J. Wysocki
2011-10-06 3:14 ` John Johansen
2011-10-06 4:49 ` hpanvin@gmail.com
2011-10-04 12:51 ` Heiko Carstens
2011-10-04 22:02 ` Jiri Kosina
2011-10-04 22:04 ` H. Peter Anvin
2011-10-05 0:27 ` Henrique de Moraes Holschuh
2011-10-03 17:50 ` Adrian Bunk
2011-10-06 18:22 ` Krzysztof Halasa
2011-10-06 18:31 ` Rafael J. Wysocki
2011-10-06 21:19 ` [Warsaw Poland] " Krzysztof Halasa
2011-10-06 21:37 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E8655CD.90107@zytor.com \
--to=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox