btiffin
|
 Posted: Mon Aug 18, 2008 2:14 am Post subject: keygen and person to person rings of trust |
|
|
Anyone here have any experience running, or being involved in, a digital signature and public/private key "Ring of Trust"?
I'm pondering how to best setup a REBOL developer and code share digital verification system. Small at first, maybe 50 producers, consumers numbered to the third or fourth order of magnitude. Six would be cool, but reality bytes.
So I assume gpg but wonder about things like;
number of people with physical copies of root keys? 2 out of 50? 4?
how key sharing can work when individuals span the globe with very low geophysical density?
can you safely "cheat the spirit of the system" and through decades of history using various communication paths, assume a binary key sent without a physical handshake but lots of electronic communications, as trusted, to the point where consumers would place faith in such a system? (I'm leaning toward this as being no-go territory, but wondered...especially first-cut, before the annual developer conference makes face to face more feasible ... and the step up still giving consumers more than exists today.) Don't worry, I'm prepared to duck, having even raised the subject. 
given under 100 developers, how often should master keys be recycled?
how many hours of management, verification tests etc, (per signature) can be assumed over the course of a year?
Anyone that has seen one of these in action, I'd appreciate any observations.
Cheers |
|
|
Register
Wiki
Blog
Search
Turing
Chat Room
Members
