Re: Migrating to GPG - A mini-HOWTO

To: Martin Schulze <joey@infodrom.north.de>
Cc: Debian Development <debian-devel@lists.debian.org>
Subject: Re: Migrating to GPG - A mini-HOWTO
From: Philip Hands <phil@hands.com>
Date: 14 Sep 1999 23:56:14 +0100
Message-id: <[🔎] 87so4hqf01.fsf@sheikh.hands.com>
In-reply-to: <[🔎] 19990914235309.A3397@finlandia.infodrom.north.de> (Martin Schulze's message of "Tue, 14 Sep 1999 23:53:09 +0200")
References: <[🔎] 19990914054409.B15684@finlandia.infodrom.north.de> <[🔎] Pine.LNX.3.96.990913233410.3403d-100000@Wakko.deltatee.com> <[🔎] 19990914082754.C15684@finlandia.infodrom.north.de> <[🔎] 87lna9vr7h.fsf@sheikh.hands.com> <[🔎] 19990914235309.A3397@finlandia.infodrom.north.de>

Martin Schulze <joey@finlandia.Infodrom.North.DE> writes:

> Philip Hands wrote:
> > Martin Schulze <joey@finlandia.Infodrom.North.DE> writes:
> > 
> > > If the people that signed the key are still known and also use GnuPG
> > > these days, they can sign the new key as well.  If not, the maintainer
> > > has to decide what to do.  It's good to have the option to continue
> > > with the old key, though.
> > 
> > Are you saying that people should sign keys received via e-mail,
> > rather than face to face ?
> > 
> > If so, I'm strongly against this.
> 
> Only if they met face to face to sign the first key.  Only in that
> single case they can trust that key, signing a new one.

How can they trust that key?

How do they know that you've not just had your old keys compromised,
and some evil scumbag thought they'd get in quick and pretend to be
you before you got round to revoking your keys?

Normally, having your keys compromised is bad enough, but if we make
it standard practice to sign people's keys on the strength of their
old keys, then how is one to judge if the new signing means:

  ``I met this person again, with their new keys in hand''

or

  ``I met this person once, so I'll sign anything that comes my way''

If the latter, then when the real person says ``Hey, that's not me!''
how are we supposed to determine if they're telling the truth?

If you think that a self signature on the new key is good enough to
spread the web of trust, then fair enough (I do as it happens) in
which case people a person signing their own new key with their old
key is sufficient.  This is good, because that signature reflects
reality, in that they know who they are, and can vouch for the key
being theirs.

Signing people's new keys on the strength of a signed email pollutes
the web of trust with potentially flawed links.

Obviously, if we're life-long friends, and I send you a new key signed
with my old key, and then you phone me up and establish that I really
did send it to you, and that your pretty certain that it is me on that
answered the phone, then a face to face meeting is probably redundant.

Cheers, Phil.

Reply to:

Follow-Ups:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Gabor Fleischer <flocsy@mail.mtesz.hu>

References:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Jason Gunthorpe <jgg@ualberta.ca>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Philip Hands <phil@hands.com>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>

Prev by Date: Re: Increasing regularity of build systems
Next by Date: Re: Migrating to GPG - A mini-HOWTO
Previous by thread: Re: Migrating to GPG - A mini-HOWTO
Next by thread: Re: Migrating to GPG - A mini-HOWTO
Index(es):
- Date
- Thread