[SGVLUG] Synchronizing and maintaining gpg/pgp keyrings -- recommendations?

Emerson, Tom (*IC) Tom.Emerson at wbconsultant.com
Mon Jun 11 17:50:28 PDT 2007 

As part of the preparation for our upcoming August presentation, I'm
doing a little house-cleaning on my public/private keys.  I've come to
the conclusion that what I've got is a mess, so I was wondering what
others do or recommend when dealing with PGP/GPG on "more than one
machine"

The "secret" key is relatively easy -- that file (in my case) contains
only one key, so it's pretty easy to tell whether or not I've got the
same "secret keyring" on various systems -- listing the "secret" key
should show the same key ID [though in one case it doesn't, however I
don't think I've ever utilized that key nor have I posted the
corresponding "public" key on any server that I can find...]

The "public" keys, however, are a bit more of a problem.  I've got
keyrings on the following machines:

   1) my "(web)server" machine at home
   2) my old laptop [migrated to my new laptop]
   3) my Linux system at home [dual booted to windows, with it's OWN
copy of the public keyring]
   4) the windows system provided to me at work [in more than one
location, it seems]

That last needs a little clarification: over time, it seems the
"windows" version(s) of gpg and support tools (winpt, gpgme, gpgol) used
different directories for storing the files normally kept in "~/.gnupg"
on a Linux system, in particular, "C:\gnupg" and "C:\documents and
settings\<username>\application data\gnupg\".  

None of these "public" keyrings are the same, which makes sense: I can
be at any one of these computers when I come across a signed document,
and retrieving the public key only stores the results on that computer.
Furthermore, as I go about checking "web of trust" between me and this
new "key", I invariably add a few more keys "from the server" because
this "new" key has signatures from people I've never met.  (and if I
recursively perform "look up all unknown signers" looking to establish a
chain back to someone I know, this just grows and grows...)

As a result, each of these public keyrings contains information in one
of four states:

   1) keys I've signed
   2) keys I'm interested in, but haven't signed personally
   3) keys I've imported of people who have signed keys I'm interested
in [which may or may not have a signature of someone I "know"
personally]
   4) keys to signatures I have NOT imported [unknown keys, all I have
is the ID/fingerprint]

Keys I've signed are pretty easy to detect -- I can use "--list-sigs"
and pipe it through less, then search for my key id.  Keys I'm
interested in, however, tend to be indistinguishable from "keys of
signators to those I'm interested in".  And of course, unknown keys are
just that -- unknown until you download or import them to that database.

And, of course, there are cases where a key for someone will have
different signatures on different keyrings as I've added them to each
keyring at different times (but this is easy to rectify as the
update-from-server works really well)

Any thoughts or suggestions?

More information about the SGVLUG mailing list