Dominic Steinitz writes:
1. How do we handle key management? For example, if I lose my key or someone hacks into my machine and steals my key. How do we revoke the key?
If GnuPG is used -- and I am strongly in favor of this --, then encourage contributors to generate the revocation certificate at the same time they generate the key itself. Then instruct them to put that certificate on a CD, DVD, or whatever, so that they can distribute it when the secret key is lost or compromised. Most people are unable revoke their keys because they have quite simply forgotten their pass phrase. If you have a revocation certificate already, that isn't a problem any longer. Since people will without a doubt lose the revocation certificates too, encourage them to generate keys that expire after a sensible period of time. Both GnuPG and PGP offer a pretty straightforward sub-keying mechanism which allows you to switch keys, say once a year, without losing the signatures that authenticate your key to others.
2. How do I get a trusted key given I am not likely to meet anybody "trusted" in the near future?
Unfortunately, that is impossible. Your best bet is to have everybody sign everybody else's key at every possible opportunity, and that still won't mean that the key Joe Doe downloaded from the Internet will be for real. Your best bet to ensure that the keys are authentic is to publish their fingerprints at every chance you get so that people can verify the key they downloaded through other means than a web site. Publishing fingerprints in the printed version of the Haskell standard would be a good start, for example.
3. What constitutes a "trusted" key?
There are no trusted keys. The decision of whether to trust a key or not _must_ be made by the person who downloads the package -- the user. Nobody else can make that decision for him. Peter