Re: Migrating to GPG - A mini-HOWTO
Michael Stone wrote:
> On Tue, Sep 14, 1999 at 11:21:02AM +0200, Florian Lohoff wrote:
> > Just a small thought - If there is a web of trust on pgp - You
> > should be able to transfer it to "gpg".
> > Just send the gpg key in a mail signed with pgp. You are
> > able to verify the consistency of the mail and is to the
> > hand of the sender (aka Owner of the 2 Keys) to enshure
> > the content of the mail is valid (As He/She does when printing
> > fingerprints) ...
> Not really. What if the pgp key is compromised? The original owner can
> release a revocation certificate for the pgp key, but if someone creates
> a new gpg key that you sign based on the (compromised) pgp key then
> you've possibly validated a key that the original owner cannot revoke.
> That would be bad.
So what do you propose? Not using any digital signing at all?
What if you fake your passport and it's not Mike Stone but Joe
Blair pretending to be you and I sign your key. That would be bad.
Let's call it an accidental feature. --Larry Wall
Please always Cc to me when replying to me on the lists.