Re: Migrating to GPG - A mini-HOWTO
On Tue, Sep 14, 1999 at 09:21:22AM +0100, Philip Hands wrote:
> Martin Schulze <joey@finlandia.Infodrom.North.DE> writes:
>
> > If the people that signed the key are still known and also use GnuPG
> > these days, they can sign the new key as well. If not, the maintainer
> > has to decide what to do. It's good to have the option to continue
> > with the old key, though.
>
> Are you saying that people should sign keys received via e-mail,
> rather than face to face ?
>
> If so, I'm strongly against this.
>
> You should only sign keys which you have obtained from someone in
> person, who's identity you are reasonably certain of (i.e. passport).
>
> If I sign my GPG key with my PGP key, then people can decide if the
> GPG key is worthwhile on that basis.
>
> If I then go to a load of key signings and establish a GPG web of
> trust, people rightly get a higher level of confidence in my GPG key.
>
> That higher level of confidence would be misplaced if I'd simply
> mailed my key to all my old PGP signers, and they'd signed it.
Just a small thought - If there is a web of trust on pgp - You
should be able to transfer it to "gpg".
Just send the gpg key in a mail signed with pgp. You are
able to verify the consistency of the mail and is to the
hand of the sender (aka Owner of the 2 Keys) to enshure
the content of the mail is valid (As He/She does when printing
fingerprints) ...
No just sign the mail (after checking the signature of the mail)
with your gpg key and send it back (signed or encrypted) ...
I prefer the transition to gpg although aothers might think
different. It is a bit painful that even with non-free software
plugins gpg is NOT able to sign/encrypt messages with RSA keys
( I know of no way )
A thing i dont like is mixing gpg and pgp signatures as pgp is
not able to process them ...
Flo
--
Florian Lohoff flo@rfc822.org +49-5241-470566
... The failure can be random; however, when it does occur, it is
catastrophic and is repeatable ... Cisco Field Notice
Reply to: