Re: RFC: gnupg

To: Jules Bean <jules@jellybean.co.uk>
Cc: debian-devel@lists.debian.org
Subject: Re: RFC: gnupg
From: Zed Pobre <zed@moebius.interdestination.net>
Date: Sun, 5 Jul 1998 16:52:22 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.3.96.980705164337.8956A-100000@moebius.interdestination.net>
In-reply-to: <[🔎] 2245772.3108667587@195.82.102.209>

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 5 Jul 1998, Jules Bean wrote:

>I wrote a long reply to Zed's email, and lost it :-(
>
>So, on sober reflection, I am able to sum up my response very briefly as
>follows:
>
>1) No one is asking you to stop using PGP.  There are many reasons to use
>PGP over gpg, for you as a private individual.  All I am suggesting is that
>for debian official purposes, we switch to gpg. Primarily this is package
>signing, but there are a few other things (sending out passwords, etc.).

    This will require special scripts to be written to distinguish
between gpg signed packages and pgp signed packages, and to
automatically call the correct program to check.  If they get written
before anyone attempts to implement this, I doubt I'll mind the new
addition.  If I have to write them myself, I'm going to be annoyed.


>3) You will use your existing PGP key to sign your gpg key initially - I see
>no scope there for exploits, could you clarify?

    You can't use an existing PGP key to sign a GPG key, not in the
usual fashion anyway.  I suppose I could uuencode the GPG key output and
sign THAT with my PGP key.  GPG however doesn't support the necessary
encryptions to handle keys with PGP signatures on them.  That leaves
room for (admittedly this is highly unlikely) substitution attacks
between the time the signature is checked and the GPG key is put on the
keyring.

=============================================================================
 Zed Pobre <zed@va.debian.org>  |  PGP key on servers, fingerprint on finger
=============================================================================

-----BEGIN PGP SIGNATURE-----
Version: 5.0
Charset: noconv

iQEVAwUBNZ/ngtwPDK/EqFJbAQGdbgf/ZVUEcrHGuYowWwG4y2IqNCaHJv1BqmR+
/UGYhxPGafru4R8mDhiPE5+R3ZfHbIP6U6P22Ld5oTBR47qnOigJ8C2QP3quvNJ/
3TqWFCpBEsCELLttQ9lWMF5AZHbGPkU/2iccnGllWh+aVYzH/F9+qK6fkcKHVrJb
JzNDmBWVkYAlyqlfSYkbjStOwubJWwro4EVNkHIpXsnnxeniBhkQoaoBx94WT8eT
vsJ2g0ybQOgOk54vvIoyVFhFlQKHTa2SfFGIb74nOtx0HPAjtzRF6hD572zqB//d
m7u2XIK1IalSr5nUaAW33l9jrbnM1or4oGScKoP9BtIcGDOE6uasCg==
=Atjb
-----END PGP SIGNATURE-----


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: RFC: gnupg
  - From: James Troup <james@nocrew.org>

References:
- Re: RFC: gnupg
  - From: "Jules Bean" <jules@jellybean.co.uk>

Prev by Date: Re: Should xisp conflict with diald?
Next by Date: Re: RFC: gnupg
Previous by thread: Re: RFC: gnupg
Next by thread: Re: RFC: gnupg
Index(es):
- Date
- Thread