Re: debsigs
Steve Langasek <vorlon@netexpress.net> writes:
> AFAIK, "revocation certificate" should always be used to refer to the
> revocation of a key, not of a signature.
I explicitly wrote "revoking certification", not "revoking keys". :-)
> If a signature on a key is revoked, it is possible to sign the key
> again later; but if a key is revoked, I don't know of any software
> that will let you un-revoke the key (and this is how it should be).
Of course, that's right. And it is completely out of question to
force an ex-developer to revoke his key.
>> I don't think it's a good idea to express trust by membership in the
>> Debian keyring. Why can't we use bare OpenPGP for that?
>
> PGP gives you authentication only.
I don't know about PGP, but OpenPGP does offer a bit more than that.
For example, you can certify keys so that they become trusted
introducers automatically for someone who has sufficient trust in the
certifying key.
> The way the system recognizes authorized users is through the
> presence of their key in the ring.
You can express authorization by certification, together with the
notification field.
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: