caff/README.many-keys

   1 Using caff to sign lots of keys
   2 -------------------------------
   3
   4 If you have loads of keys to sign (sometimes, there are keysigning parties with
   5 more than 100 participants), keysigning can be awkward, even with caff. It gets
   6 worse if you have multiple local keys and want to sign with all.
   7
   8 Some hints to get the signing done faster:
   9
  10 * Use fingerprints instead of key ids.
  11
  12   caff and gpg allow you to specify the full fingerprint. This will save you
  13   from having to check the fingerprint yourself. If you have a text file with
  14   all fingerprints, use that and then run
  15
  16   $ caff <options> "`cat ksp-fingerprints.txt`"
  17
  18   For convenience, caff also allows spaces in fingerprints/keyids as output by
  19   gpg --fingerprint. (Remember to properly quote arguments as shown above.)
  20
  21 * v3 keys are evil.
  22
  23   V3 keys (pgp 2.6x keys) are deprecated.  Not only do they rely on md5 for
  24   their fingerprint and signatures, they also use the patented IDEA algorithm
  25   for encryption.  Also, there are several attacks that make creating new keys
  26   with the same keyid trivial.  Others make it possible to create different
  27   keys with the same fingerprint (tho the key will not actually contain valid
  28   RSA parameters).
  29
  30   Because of these problems a lot of people (like caff's author) refuse to sign
  31   v3 keys these days.
  32
  33   If you still want to sign v3 keys, sign v3 separately. Batch processing does
  34   not work. See README.v3-keys.
  35
  36 * Use multiple passes.
  37
  38   Going through retrieving, signing, and mailing keys can help, e.g.:
  39
  40   $ caff --no-sign --no-export-old --no-mail "`cat ksp-fingerprints.txt`"
  41   $ caff --no-download --no-export-old --no-mail "`cat ksp-fingerprints.txt`"
  42   $ caff --no-download --no-sign --no-export-old "`cat ksp-fingerprints.txt`"
  43
  44 * If you have multiple local keys, use -u <mykey1>,<mykey2>.
  45
  46   $ caff -u <mykey1>,<mykey2> <keyids to sign>
  47
  48 * Use gpg-agent.
  49
  50   See README.gpg-agent.
  51
  52 * Use gpg-sign-args.
  53
  54   $CONFIG{'gpg-sign-args'} = "save";
  55
  56   This automatically saves the key after signing in gpg. The advantage is that
  57   you do not have to type "save" for each key. The disadvantage is that you
  58   cannot choose which UIDs to sign by answering "no" at the "Really sign?"
  59   prompt any more; you will have *not* to send out some mails. (And you have
  60   unwanted signatures lingering around in ~/.caff/gnupghome/pubring.gpg.)
  61
  62  -- Christoph Berg <cb@df7cb.de>  Mon, 25 Jun 2007 10:55:40 +0200