Re: debsigs

[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>]

Henrique de Moraes Holschuh <hmh@debian.org> writes:

>> > We do not revoke keys because they are not invalid. We do not revoke the
>> > signatures on UIDs mentioning @debian.org, because that would cause a lot of
>> > trouble for the person to come back to the Debian project, I think. One
>> > cannot revoke a revocation certificate, AFAIK...
>> 
>> Yes, you can.  Just sign the key again.  Recent GnuPG versions will
>> handle this correctly.
>
> Will that work correctly in remote keys (i.e. if one key that HAS the
> revocation signature on top of the old signature, and fetches the new
> signature, does it wipe the old sig and rev. sig?)

It doesn't wipe it (both signatures are still there), but it reverses
the effect of the revocation.

>> I don't think it's a good idea to express trust by membership in the
>> Debian keyring.  Why can't we use bare OpenPGP for that?
>
> We don't use that because (AFAIK):
>
> 1. It is slower by a factor of 10, if not more.

This will be fixed in GnuPG 1.0.7.

> If (1) is not a problem anymore, and you are offering to fix all the
> scripts...

Uh-oh...

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org