On Tuesday, February 23, 2016 10:18:49 PM Ralf Senderek wrote: > On Tue, 23 Feb 2016, Till Maas wrote: > > I used my access to the signing server to verify the key before signing > > it. But why is confirming the fingerprint here a step forward? Why would > > someone search in this mailing list for the fingerprint of the gpg key? > > > > FWIW, the signing server just gave me a public key with this fingerprint > > when I asked for the Fedora 24 signing key: > > pub 4096R/81B46521 2015-07-25 Fedora (24) > > <fedora-24-primary@xxxxxxxxxxxxxxxxx>> > > Key fingerprint = 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521 > > This is the important part, you state that you have access to the server > that uses the private key for 4096R/81B46521. You may have first-hand > knowledge how the persons using this key protect this private key and you > have even knowledge of these person's trustworthiness and professionalism. > > That and only that constitutes the value of your signature as opposed to > mine if I had signed the key. No one has access to the private key. It lives on a server that has no services running that listen for connections. There is a service that runs on it that talks to the signing bridge. That brokers all requests. Users with access do not know the password to unlock the key. The signing server manages access. There is exactly two copies of the private key, one embeded in encrypted storage on the signing server and a backup of the encrypted storage on the backup server. It has been designed to allow the granting and revocation of access without the need for having a copy of the private key. https://fedorahosted.org/sigul/ is the software we use Dennis
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
