On Wed, Apr 10, 2002 at 09:16:26PM -0400, christophe barb? wrote: > I don't see how we can be sure that you (the new-key owner) are you (the > old-key owner). > > As I understand it, this kind of "chain of establishment" can only work > if you sign your new key with your old one. But IIUC you lost your old > private key. > > I may be wrong, > Christophe > Well, you got 2 choices then. You can either accept the tracing pattern I've established or not. My packge(s) will be signed by the new key and I will be using it for all debian communications from now on. (I don't mean that rudely either. Can't state it any simpler than that.) I can't do anything about the fact that I no longer have the old secret key from which to sign the new one with. I've notified this group that the key was lost when it was lost, I've generated a new one, I've signed the old one with the new one, I've posted the old key signed by the new key and the new key on the upstream source site for my package(s) and my non-debian related websites, I've posted the old key with the new key's signature to the keyservers and to this group, I've posted the new key to the keyservers and this group. I've notifed everyone at evey step of the way what I was doing. So far I've done the following 1) Replaced the OLD key (42D8F306) with the NEW one (C5A76BF6). 2) Signed the OLD public key (42D8F306) with the NEW one (C5A76BF6). 3) Posted the OLD public key (42D8F306) signed with the NEW key's (C5A76BF6) signature to the following 1) public keyservers 2) debian-devel@lists.debian.org 3) main upstream source site for affected packages 3) Put the newly signed OLD public key (42D8F306) on the upstream website in an ascii file for download with an embedded signature. 4) Posted the NEW public key (C5A76BF6) to the following: 1) public keyservers 2) debian-devel@lists.debian.org 3) Main upstream source site for affected packages 5) Notified affected parties via the debian-devel@lists.debian.org newsgroup of all steps taken, starting from loss, to replacement, to link path taken. Not much more I can do since the old secret key and public keyrings were lost. It's going to have to suffice as I have taken every step possible to ensure that the chain of events was totally and completely documented both accurately and publicly to ensure a proper traceback can be made. -- David D.W. Downey <david-downey@codecastle.com> Upstream - libpam-pgsql.codecastle.com Debian - Woody: 0.5.2-2 Sid: 0.5.2-3 State - bugs.debian.org/libpam-pgsql
Attachment:
pgpN8YsvIGHme.pgp
Description: PGP signature