Any recommendations for recv-only keyserver setup?
I've got a pretty obscure question in the subject line.
I've just finished up drilling keypair/sign methods into RPM and
am starting to sign all built packages automagically.
The RPM usage case is to attach a digital certificate to
every package build, thereby automagically forcing
self-certed signatures/pubkeys into all packages produced by RPM.
The model afaict is a non-repudiation signature as described
in the "Handbook of Applied Cryptography" section 13.8.2 (for reference).
There basic threat to a non-repudation signature is:
Original signer releases the private key and claims forgery.
Well RPM is just gonna create, use and the discard the private key.
And you're unlikely to hear any claim of Forgery! from a "batch oriented"
installer that isn't permitted any dialog with a luser. ;-)
The other two means described to avoid the threat model involve
a notary, either to acquire a trusted time stamp, or for a signature/pubkey registrar.
So -- if I MUST set up a registry (I sure hope not) -- I'd like
to use a SKS server for the implementation.
However RPM is used _LOTS_ and there's no reason whatsoever to
distribute self-certs _EVERYWHERE_, all that's needed is a
standalone SKS server (or a private set of peers).