[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsigs

Steve Langasek <vorlon@netexpress.net> writes:

> AFAIK, "revocation certificate" should always be used to refer to the 
> revocation of a key, not of a signature.

I explicitly wrote "revoking certification", not "revoking keys". :-)

> If a signature on a key is revoked, it is possible to sign the key
> again later; but if a key is revoked, I don't know of any software
> that will let you un-revoke the key (and this is how it should be).

Of course, that's right.  And it is completely out of question to
force an ex-developer to revoke his key.

>> I don't think it's a good idea to express trust by membership in the
>> Debian keyring.  Why can't we use bare OpenPGP for that?
>
> PGP gives you authentication only.

I don't know about PGP, but OpenPGP does offer a bit more than that.
For example, you can certify keys so that they become trusted
introducers automatically for someone who has sufficient trust in the
certifying key.

> The way the system recognizes authorized users is through the
> presence of their key in the ring.

You can express authorization by certification, together with the
notification field.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: