Henrique de Moraes Holschuh <email@example.com> writes:
>> > We do not revoke keys because they are not invalid. We do not revoke the
>> > signatures on UIDs mentioning @debian.org, because that would cause a lot of
>> > trouble for the person to come back to the Debian project, I think. One
>> > cannot revoke a revocation certificate, AFAIK...
>> Yes, you can. Just sign the key again. Recent GnuPG versions will
>> handle this correctly.
> Will that work correctly in remote keys (i.e. if one key that HAS the
> revocation signature on top of the old signature, and fetches the new
> signature, does it wipe the old sig and rev. sig?)
It doesn't wipe it (both signatures are still there), but it reverses
the effect of the revocation.
>> I don't think it's a good idea to express trust by membership in the
>> Debian keyring. Why can't we use bare OpenPGP for that?
> We don't use that because (AFAIK):
> 1. It is slower by a factor of 10, if not more.
This will be fixed in GnuPG 1.0.7.
> If (1) is not a problem anymore, and you are offering to fix all the
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com