[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Migrating to GPG - A mini-HOWTO

On Tue 14 Sep 1999, Michael Stone wrote:
> On Tue, Sep 14, 1999 at 11:55:39PM +0200, Martin Schulze wrote:
> > Michael Stone wrote:
> > > Not really. What if the pgp key is compromised? The original owner can
> > > release a revocation certificate for the pgp key, but if someone creates
> > > a new gpg key that you sign based on the (compromised) pgp key then
> > > you've possibly validated a key that the original owner cannot revoke.
> > > That would be bad.
> > 
> > So what do you propose?  Not using any digital signing at all?
> How does that follow at all? Take a breath and calm down.

I think his point is that if you can't trust a pgp signature to
sign a gpg key, why should trust a pgp signature to do anything
at all, e.g. accept an uploaded package.  Seems like a reasonable

Paul Slootman
home:       paul@wurtel.demon.nl http://www.wurtel.demon.nl/
work:       paul@murphy.nl       http://www.murphy.nl/
debian:     paul@debian.org      http://www.debian.org/
isdn4linux: paul@isdn4linux.de   http://www.isdn4linux.de/

Reply to: