[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: David D.W. Downey - Old Key 42D8F306 Signed by New Key C5A76BF6

On Wed, Apr 10, 2002 at 09:16:26PM -0400, christophe barb? wrote:
> I don't see how we can be sure that you (the new-key owner) are you (the
> old-key owner).
> As I understand it, this kind of "chain of establishment" can only work
> if you sign your new key with your old one. But IIUC you lost your old
> private key.
> I may be wrong,
> Christophe

Well, you got 2 choices then. You can either accept the tracing pattern
I've established or not. My packge(s) will be signed by the new key and
I will be using it for all debian communications from now on. 

(I don't mean that rudely either. Can't state it any simpler than that.)

I can't do anything about the fact that I no longer have the old secret
key from which to sign the new one with. I've notified this group that
the key was lost when it was lost, I've generated a new one, I've signed
the old one with the new one, I've posted the old key signed by the new
key and the new key on the upstream source site for my package(s) and my
non-debian related websites, I've posted the old key with the new key's
signature to the keyservers and to this group, I've posted the new key
to the keyservers and this group. I've notifed everyone at evey step of
the way what I was doing.

So far I've done the following

1) Replaced the OLD key (42D8F306) with the NEW one (C5A76BF6).

2) Signed the OLD public key (42D8F306) with the NEW one (C5A76BF6).

3) Posted the OLD public key (42D8F306) signed with the NEW key's
   (C5A76BF6) signature to the following
   		1) public keyservers
		2) debian-devel@lists.debian.org
		3) main upstream source site for affected packages

3) Put the newly signed OLD public key (42D8F306) on the upstream
   website in an ascii file for download with an embedded signature.

4) Posted the NEW public key (C5A76BF6) to the following:
		1) public keyservers
		2) debian-devel@lists.debian.org
		3) Main upstream source site for affected packages

5) Notified affected parties via the debian-devel@lists.debian.org
   newsgroup of all steps taken, starting from loss, to replacement,
   to link path taken.

Not much more I can do since the old secret key and public keyrings were
lost. It's going to have to suffice as I have taken every step possible
to ensure that the chain of events was totally and completely documented
both accurately and publicly to ensure a proper traceback can be made.

David D.W. Downey <david-downey@codecastle.com>
Upstream - libpam-pgsql.codecastle.com
Debian - Woody: 0.5.2-2   Sid: 0.5.2-3
State - bugs.debian.org/libpam-pgsql

Attachment: pgpN8YsvIGHme.pgp
Description: PGP signature

Reply to: