Controlling Group Membership with PGP Keys

Mike Acker Mike_Acker at charter.net
Tue Mar 22 16:17:37 CET 2011 

On 03/22/2011 11:01, Jerome Baum wrote:
> Mike Acker <Mike_Acker at charter.net> writes:
>
>> > Clearly  the design  of  the PGP  key  and its  trust  model does  not
>> > apprehend indicating Group membership
> How about adding an identity: "Member of group X"?
>
> pub   4096R/C58C753A 2010-12-28
> uid                  Jerome Baum <jerome at jeromebaum.com>
> uid                  Member of gnupg-users
>
> You'd still have  to manually check _who_ signed my  member uid, to make
> sure it's a group administrator, and timely revocation is an issue.
>
> 1.  Group  admin:  Maybe we  could  add  a  config  item that  sets  the
>     administrative  key for a  domain (by  email part  of uid)  and only
>     trust signatures  of that  key when it  comes to those  domains? How
>     about  a  fake  uid  like  those  PayPal  clones,  e.g.  "Member  of
>     gnupg-users <jerome at gnpg-users>"? Why can't  we use the WoT for this
>     kind of  stuff (do I trust Alice  to check before she  signs a group
>     uid)?
>
> 2. Revocation:  At least now  the revocation is semantically  correct. I
>    revoke the signature stating "Jerome is a member of gnupg-users", but
>    I keep  the signature stating  "this key is really  Jerome's". Timely
>    revocation is still  an issue. I don't think you  can set a preferred
>    key-server in a  signature, can you?  So we  can use a (non-standard)
>    notation to designate that.
>
> -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23
> EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
in thinking about this it is clear that PGP ( and thus GnuPG ) wasn't
intended to verify group membership.  this could be an up-coming RFC

but for today i'm going to advise my group that the authentication
simply indicates the sender is who he(she) says he(she) is, nothing more.

when i receive a message from Tom Newguy I can look at my Group Mailing
List to see if he's a member,  or not.  the group administrator will
need to send messages when there are adds, changes, or deletes to the
group membership list and this can be done in the ordinary manner. i'll
recommend DEACTIVATING obsolete keys rather than deletes -- this should
prevent folks from accidentally downloading a key that has been dropped
( i need to test this yet ) .

the RFC would allow Thunderbird to associate a key server with an e/mail
account and would provide for the group administrator to maintain the
keys in that server.  this would recommend folks to use a dedicated
e/mail account for the access controlled group but i don't see that as
horrible issue -- not like asking folks to set up VM --

/MIKE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110322/abdd7172/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110322/abdd7172/attachment.pgp>

More information about the Gnupg-users mailing list