Re: Migrating to GPG - A mini-HOWTO
Jason Gunthorpe <firstname.lastname@example.org> writes:
On 14 Sep 1999, Ben Pfaff wrote:
> Michael Stone <email@example.com> writes:
> On Tue, Sep 14, 1999 at 03:38:34PM +0200, Marco d'Itri wrote:
> > I signed my DSS key with the old RSA key and then asked people who
> > signed the old key to sign the new one with their DSS key.
> > This is easy and secure.
> Again, no it isn't. How do they know that someone didn't steal your pgp
> How is this different from the question ``How does dinstall (or other
> person/program) know someone hasn't stolen [developer]'s PGP key?''
Because you can revoke the old key and have all of it's signatures become
invalid. But, you cannot revoke this 'new' key that was created and passed
around as real using your compromised old key. It now has real signatures
that say 'I know for certain that this key belongs to this person'.
Okay. I accept this argument and agree.