Re: Migrating to GPG - A mini-HOWTO
On Tue, Sep 14, 1999 at 09:21:22AM +0100, Philip Hands wrote:
> Are you saying that people should sign keys received via e-mail,
> rather than face to face ?
>
> If so, I'm strongly against this.
Why?
> You should only sign keys which you have obtained from someone in
> person, who's identity you are reasonably certain of (i.e. passport).
But you do trust the key once it is signed, don't you?
> That higher level of confidence would be misplaced if I'd simply
> mailed my key to all my old PGP signers, and they'd signed it.
Sorry, I don't get this. Why is it a problem if one of my old signers signs
my new key if I send it to them in a mail signed by my old key?
I don't buy this "if the key was compromised" stuff at all. If someone
compromises my PGP key he/she can put whatever he/she wants into Debian
using my key. And sign's whatever keys he/she wants.
Yes, I can revoke my key once I notice this. But the compromiser can also
create a new key for me and revoke the old one for me. So I have no access
anymore to my own PGP key as well. Where's the difference with the GPG keys?
Michael
--
Michael Meskes | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire!
Tel.: (+49) 2431/72651 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De | Use PostgreSQL!
Reply to: