Re: [Debconf-discuss] Please don't upload GPG keys to keyserver?when signing them

To: Petter Reinholdtsen <pere@hungry.com>
Cc: DebConf discuss <debconf-discuss@lists.debconf.org>
Subject: Re: [Debconf-discuss] Please don't upload GPG keys to keyserver?when signing them
From: Gunnar Wolf <gwolf@gwolf.org>
Date: Thu, 6 Aug 2009 23:47:54 -0500
Message-id: <[🔎] 20090807044753.GD15439@cajita.gateway.2wire.net>
In-reply-to: <[🔎] 20090806101630.GH7887@login2.uio.no>
References: <[🔎] 20090806063413.GR1684@mykerinos.kheops.frmug.org> <[🔎] 87skg5nw95.fsf@gkar.ganneff.de> <[🔎] 20090806094449.GG7887@login2.uio.no> <[🔎] 200908061151.30365.waja@cyconet.org> <[🔎] 20090806101630.GH7887@login2.uio.no>

Petter Reinholdtsen dijo [Thu, Aug 06, 2009 at 12:16:30PM +0200]:
> [Jan Wagner]
> > .oO(*note* don't keysign with Petter Reinholdtsen for now)
> 
> No problem.  I do not believe we know each other, so that is just as
> it should be. :)

Old keys tend to have old mail addresses — as for me, since I started
using 1024/8BB527AF I switched my main mail address twice and
added/deleted a couple of identities. Yes, I revoked the identities I
don't have access anymore. If somebody registers gwolf.cx, or somebody
gets my old account at campus.iztacala.unam.mx, they will get my
mails. It is extremely unlikely they will be able to make any sense
out of my GPG-crypted mails at that address. 

So, what I am losing if you just upload the keys to the server? Very
little, but still: Some people might see you (hypothetically - It is
_not_ the case) signed my key in 2009 and decide to write me a
personal, unencrypted mail to said addresses before checking if the
address does reach me - after all, you (would) have just validated it!

Even worse: What would happen if I were stupid enough back on 2003 to
leave a copy of my private key on that machine when I quit that job?
Well, they would have my well-signed key _and_ control of one of its
identities. Even if it is people unable to properly "bake" a Debian
package, they could (ab)use my trusted identity. It's "just" a matter
of them breaking my GPG passphrase :-}

Of course, were I to get crypted mails there, we lose nothing. And I
really really don't expect them to get my private key. Still, it is a
possibility better left closed.

-- 
Gunnar Wolf • gwolf@gwolf.org • (+52-55)5623-0154 / 1451-2244

Reply to:

References:
- [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
  - From: Christian Perrier <bubulle@debian.org>
- Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
  - From: Joerg Jaspert <joerg@debconf.org>
- Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
  - From: Jan Wagner <waja@cyconet.org>
- Re: [Debconf-discuss] Please don't upload GPG keys to keyserver?when signing them
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
Next by Date: Re: [Debconf-discuss] Upload of pictures to gallery.debconf.org?
Previous by thread: Re: [Debconf-discuss] Please don't upload GPG keys to keyserver?when signing them
Next by thread: Re: [Debconf-discuss] Please don't upload GPG keys to keyserver?when signing them
Index(es):
- Date
- Thread