Re: Migrating to GPG - A mini-HOWTO

To: debian-devel@lists.debian.org
Subject: Re: Migrating to GPG - A mini-HOWTO
From: Ben Pfaff <pfaffben@msu.edu>
Date: 14 Sep 1999 17:24:48 -0400
Message-id: <[🔎] 87zoypw5i7.fsf@pfaffben.user.msu.edu>
Reply-to: pfaffben@msu.edu
In-reply-to: Jason Gunthorpe's message of "Tue, 14 Sep 1999 15:16:59 -0600 (MDT)"
References: <[🔎] Pine.LNX.3.96.990914151230.3403l-100000@Wakko.deltatee.com>

Jason Gunthorpe <jgg@ualberta.ca> writes:

   On 14 Sep 1999, Ben Pfaff wrote:

   > Michael Stone <mstone@debian.org> writes:
   > 
   >    On Tue, Sep 14, 1999 at 03:38:34PM +0200, Marco d'Itri wrote:
   >    > I signed my DSS key with the old RSA key and then asked people who
   >    > signed the old key to sign the new one with their DSS key.
   >    > This is easy and secure.
   > 
   >    Again, no it isn't. How do they know that someone didn't steal your pgp
   >    key?=20

   > How is this different from the question ``How does dinstall (or other
   > person/program) know someone hasn't stolen [developer]'s PGP key?''

   Because you can revoke the old key and have all of it's signatures become
   invalid. But, you cannot revoke this 'new' key that was created and passed
   around as real using your compromised old key. It now has real signatures
   that say 'I know for certain that this key belongs to this person'.

Okay.  I accept this argument and agree.

Reply to:

References:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Jason Gunthorpe <jgg@ualberta.ca>

Prev by Date: Re: /opt/ again (was Re: FreeBSD-like approach for Debian? [was: ...])
Next by Date: Re: /opt/ again (was Re: FreeBSD-like approach for Debian? [was: ...])
Previous by thread: Re: Migrating to GPG - A mini-HOWTO
Next by thread: Re: Migrating to GPG - A mini-HOWTO
Index(es):
- Date
- Thread