[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Migrating to GPG - A mini-HOWTO

Jason Gunthorpe wrote:
> To be a usefull replacement for PGP2.x you will need one of the two RSAs
> though..

Only if you decide to continue to use software with patent problems and
not pure gnupg/opnpgp combined with a new web of trust.

> > Signing .dsc and .changes files
> > 
> >    The Debian Installation routine (dinstall) is already prepared to
> >    accept GnuPG keys.  Your key has to be included in the keyring.gpg,
> >    though.  If this isn't done yet, send it to the keyring maintainer
> >    at keyring-maint@debian.org.  If your GnuPG key doesn't have a
> >    proper signature, you should sign that mail using your old PGP key,
> >    so the keyring maintainer can ensure that he's not adding an
> >    intruder's key.
> Nono, the new key must have a signature on it from the old RSA key (this
> is posisble) then you can send it in a signed message to the keyring
> people. Otherwise our web of trust is totally trashed, very bad.

Nono!  The new key does not need to have a signature from the old pgp
key on it.  You can still create a new web of trust and only use the
new key.  You do not have to "mess" around with the rsa module.  This
is an option, not a must.

> However, everyone should be -using- gpg with their old PGP 2.x key.

I disagree.  The rsa module has patent problems.  It should not be
used.  If people want to use it that's fine.



PS: http://www.infodrom.north.de/~joey/GnuPG-Mini-HOWTO

Let's call it an accidental feature.  --Larry Wall

Please always Cc to me when replying to me on the lists.

Reply to: