Re: Having more than one key in the Debian keyring

To: debian-devel@lists.debian.org
Subject: Re: Having more than one key in the Debian keyring
From: Steve Langasek <vorlon@netexpress.net>
Date: Mon, 11 Aug 2003 08:01:13 -0500
Message-id: <[🔎] 20030811130111.GA1104@quetzlcoatl.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] E19lEBE-0000T9-H6@torres.ka0.zugschlus.de>
References: <[🔎] E19l4Ne-0007dr-5F@torres.ka0.zugschlus.de> <[🔎] 20030808191158.GD30640@imladris.debian.net> <[🔎] E19lEBE-0000T9-H6@torres.ka0.zugschlus.de>

On Fri, Aug 08, 2003 at 10:49:43PM +0200, Marc Haber wrote:
> On Fri, 8 Aug 2003 15:11:58 -0400, Kyle McMartin
> <kyle@gondolin.debian.net> wrote:
> >Why are you replacing your key?

> Change of $ORKPLACE, and a b0rken key policy regarding the old one. I
> wouldn't say the old key is probably compromised, but I feel better
> with an entirely new key created in a well-known "clean" environment.

"I think there are people in the world that are capable of compromising
my key" is not a good reason to remove your old key from the keyring;
and "my key has been compromised because of the way I managed it while
working for Foo, Inc." is not a good reason to allow you to upload a new
key to the ring (why should the keymaster think you won't handle your
new key the same way?).  I think this is part of why it's so hard to get
a new key into the keyring: there are very few reasons for wanting to
replace a key that don't reflect poorly on the maintainer.

> >Alternatively, why can't you just
> >revuid or revkey the (uid/subkey)?

> I would end up without a valid key in the Debian keyring for months
> since it is well known that it takes months to get a new key into the
> Debian keyring - as usual with paranoia related roles in Debian (DAM,
> ftpmaster) without any form of traceable feedback.

And this reflects poorly on your knowledge of PGP.  Revocation of a
non-Debian uid, or of a subkey other than the one you use for uploads to
Debian, has no effect on the usability of the key for uploads.  Of
course, if you didn't /create/ a subkey for your work-related use, we
come back to the question of the fitness of past and future methods of
personal key management.

Were I the keymaster (and I'm not), I would expect anyone asking to
replace their key in the keyring to provide a very detailed explanation
of why this is necessary, as well as providing concrete assurances that
this will not be necessary in the future (i.e., explaining what steps
you've taken to prevent future problems).

-- 
Steve Langasek
postmodern programmer

Attachment: pgpNOHkXZpPB2.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Having more than one key in the Debian keyring
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

References:
- Having more than one key in the Debian keyring
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: Having more than one key in the Debian keyring
  - From: Kyle McMartin <kyle@gondolin.debian.net>
- Re: Having more than one key in the Debian keyring
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Re: Bug#204658: ITP: develock -- additional font-lock keywords for the developers
Next by Date: Re: Bug#204658: ITP: develock -- additional font-lock keywords for the developers
Previous by thread: Re: Having more than one key in the Debian keyring
Next by thread: Re: Having more than one key in the Debian keyring
Index(es):
- Date
- Thread