Re: Migrating to GPG - A mini-HOWTO

To: Debian Development <debian-devel@lists.debian.org>
Subject: Re: Migrating to GPG - A mini-HOWTO
From: Paul Slootman <paul@wau.mis.ah.nl>
Date: Wed, 15 Sep 1999 13:01:18 +0200
Message-id: <[🔎] 19990915130118.A31301@wau.mis.ah.nl>
Mail-followup-to: Debian Development <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 19990914221409.S7102@justice.loyola.edu>
References: <[🔎] 19990914054409.B15684@finlandia.infodrom.north.de> <[🔎] Pine.LNX.3.96.990913233410.3403d-100000@Wakko.deltatee.com> <[🔎] 19990914082754.C15684@finlandia.infodrom.north.de> <[🔎] 87lna9vr7h.fsf@sheikh.hands.com> <[🔎] 19990914112102.A23682@mini.gt.owl.de> <[🔎] 19990914070718.I7102@justice.loyola.edu> <[🔎] 19990914235511.B3397@finlandia.infodrom.north.de> <[🔎] 19990914221409.S7102@justice.loyola.edu>

On Tue 14 Sep 1999, Michael Stone wrote:
> On Tue, Sep 14, 1999 at 11:55:39PM +0200, Martin Schulze wrote:
> > Michael Stone wrote:
> > > Not really. What if the pgp key is compromised? The original owner can
> > > release a revocation certificate for the pgp key, but if someone creates
> > > a new gpg key that you sign based on the (compromised) pgp key then
> > > you've possibly validated a key that the original owner cannot revoke.
> > > That would be bad.
> > 
> > So what do you propose?  Not using any digital signing at all?
> 
> How does that follow at all? Take a breath and calm down.

I think his point is that if you can't trust a pgp signature to
sign a gpg key, why should trust a pgp signature to do anything
at all, e.g. accept an uploaded package.  Seems like a reasonable
argument.


Paul Slootman
-- 
home:       paul@wurtel.demon.nl http://www.wurtel.demon.nl/
work:       paul@murphy.nl       http://www.murphy.nl/
debian:     paul@debian.org      http://www.debian.org/
isdn4linux: paul@isdn4linux.de   http://www.isdn4linux.de/

Reply to:

Follow-Ups:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Michael Stone <mstone@debian.org>

References:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Jason Gunthorpe <jgg@ualberta.ca>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Philip Hands <phil@hands.com>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Florian Lohoff <flo@rfc822.org>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Michael Stone <mstone@debian.org>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>
- Re: Migrating to GPG - A mini-HOWTO
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Bug o' the week
Next by Date: Re: Migrating to GPG - A mini-HOWTO
Previous by thread: Re: Migrating to GPG - A mini-HOWTO
Next by thread: Re: Migrating to GPG - A mini-HOWTO
Index(es):
- Date
- Thread