Re: Migrating to GPG - A mini-HOWTO

To: Ben Pfaff <pfaffben@msu.edu>
Cc: debian-devel@lists.debian.org
Subject: Re: Migrating to GPG - A mini-HOWTO
From: Jason Gunthorpe <jgg@ualberta.ca>
Date: Tue, 14 Sep 1999 15:16:59 -0600 (MDT)
Message-id: <[🔎] Pine.LNX.3.96.990914151230.3403l-100000@Wakko.deltatee.com>
In-reply-to: <[🔎] 871zc1xm7n.fsf@pfaffben.user.msu.edu>

On 14 Sep 1999, Ben Pfaff wrote:

> Michael Stone <mstone@debian.org> writes:
> 
>    On Tue, Sep 14, 1999 at 03:38:34PM +0200, Marco d'Itri wrote:
>    > I signed my DSS key with the old RSA key and then asked people who
>    > signed the old key to sign the new one with their DSS key.
>    > This is easy and secure.
> 
>    Again, no it isn't. How do they know that someone didn't steal your pgp
>    key?=20

> How is this different from the question ``How does dinstall (or other
> person/program) know someone hasn't stolen [developer]'s PGP key?''

Because you can revoke the old key and have all of it's signatures become
invalid. But, you cannot revoke this 'new' key that was created and passed
around as real using your compromised old key. It now has real signatures
that say 'I know for certain that this key belongs to this person'.

With dinstall a compromise is short lived and can be undone by erasing the
effected package. Creating a new key and getting people to sign it cannot
really be undone.

Jason

Reply to:

Follow-Ups:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Ben Pfaff <pfaffben@msu.edu>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Paul Slootman <paul@wau.mis.ah.nl>

References:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Ben Pfaff <pfaffben@msu.edu>

Prev by Date: Re: /opt/ again (was Re: FreeBSD-like approach for Debian? [was: ...])
Next by Date: Re: /opt/ again (was Re: FreeBSD-like approach for Debian? [was:
Previous by thread: Re: Migrating to GPG - A mini-HOWTO
Next by thread: Re: Migrating to GPG - A mini-HOWTO
Index(es):
- Date
- Thread