[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Migrating to GPG - A mini-HOWTO

On Tue, Sep 14, 1999 at 09:21:22AM +0100, Philip Hands wrote:
> Are you saying that people should sign keys received via e-mail,
> rather than face to face ?
> If so, I'm strongly against this.


> You should only sign keys which you have obtained from someone in
> person, who's identity you are reasonably certain of (i.e. passport).

But you do trust the key once it is signed, don't you?

> That higher level of confidence would be misplaced if I'd simply
> mailed my key to all my old PGP signers, and they'd signed it.

Sorry, I don't get this. Why is it a problem if one of my old signers signs
my new key if I send it to them in a mail signed by my old key?

I don't buy this "if the key was compromised" stuff at all. If someone
compromises my PGP key he/she can put whatever he/she wants into Debian
using my key. And sign's whatever keys he/she wants.

Yes, I can revoke my key once I notice this. But the compromiser can also
create a new key for me and revoke the old one for me. So I have no access
anymore to my own PGP key as well. Where's the difference with the GPG keys?


Michael Meskes                         | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De           | Use PostgreSQL!

Reply to: