A few days ago, I took two actions regarding the two keys (a PGP one as well as a GPG one) I use for Debian (and for general purpose): (1) I revoked my PGP key as I prefer to use my GPG and DSA/ElGammal rather than RSA/IDEA; (2) I added a new UID which has been signed by a lot of people and created a subkey that I use for signing. Then I tried to update Debian's knowledge of my keys by: (1) Uploading the updated versions of this key to keyring.debian.org keyserver; (2) Sending a mail explaining that to keyring-maint@debian.org. Note that no new key has been created, this is only a revocation of an existing key and a modification of an existing one as well. Both are already known by Debian and have been used to sign package changes. As of today, my keys have not been taken in account yet. My record on db.debian.org contains the old version of the keys, and some uploads have been refused (because the new subkey is not known yet). While the latter is only a minor inconvenience (as I can sign package changes with my primary GPG key), the first one is worrysome. It means that my revoked key can still be used to upload Debian packages. Fortunately, I revoked this key as a maintenance operation. But what happens if a developer gets its key compromised? Does he have any way of making sure that the revocation certificate he generates will be taken in account immediately? I think that developers (and anyone in fact) should be able to update keys in Debian's keyring (let's not forget that any operation potentially harmless to the project needs the owner to sign the operation, so this is not a risk) and those changes should be taken in account immediately. What do other developers think? Is it worth developing a little piece of code so that keys sent to key-update@debian.org (or whatever) *and* already existing in the keyring are incorporated automatically? Sam PS/ please let's not make this a flamewar: keyring-maint@debian.org did nothing wrong by not answering my mail immediately, I just question the procedure for updating keys that could be made automatic for the benefit of everybody; PPS/ also, if you do not exactly understand how uids, subkeys and revocation certificates work, please refrain from answering this mail before reading the documentation on, for example, http://www.gnupg.org/ -- Samuel Tardieu -- sam@debian.org
Attachment:
pgpIOUy7c6ilY.pgp
Description: PGP signature