Hacker News new | past | comments | ask | show | jobs | submit login

Did you have your coworkers publish their public keys in the internet keyservers or did you have them all exchange their public keys by hand?



Most of them do, however in multiple groups I have been part of we maintained a git repo containing all trusted public keys ready to batch import.

To make maintianing trust on this easy, all commits to this folder are made with commits signed by the owner of the respective key, and then a merge commit signed by a maintainer that verified it.

This makes it really easy for automation to have a source of trouth to check/validate commit signatures in other repos.


With GPG there are many more options: have internal keyserver, have "certification authority" key that signs new employee keys and everyone else trusts this authority (via trust signatures. For details see: https://www.linuxfoundation.org/blog/pgp-web-of-trust-delega...


Too many options, honestly. I'd love to see a widely agreed "basic profile" for GPG, so that everyone writing tutorials etc. would be suggesting the same thing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: