Re: Unable to fix my bugs -- Debian keyring -- vacation
On Mon, Jun 24, 2002 at 03:39:47PM +0200, Loic Dachary wrote:
> I've collected keys from various developers (including myself)
> in a similar situation (key expired + renewed). I sent a request with
> these keys + a script to check them in order to facilitate the work
> of keyring-maint + a calendar of debian developers who will suffer of the
> same problem. It was last month and I got no reply at all.
Well, some time ago elmo talked about expired keys in #debian-devel:
< Robot101> if a key has expired on the keyservers, the best thing to do
is make a new one, sign your new with the old, and revoke the
old, right?
< Robot101> then get someone else to sign the new, and grovel to elmo?
< elmo_home> Robot101: no, change the expiration date, send it to
keyring.d.o
< vorlon> There's no clear consensus in the PGP-using community whether
it should be possible to push back a key's expiration date once
set.
< Robot101> elmo_home: even if it's expired on the public and debian
keyservers?!
< vorlon> Oh. But, if elmo says it's ok, then it's ok. :)
< elmo_home> Robot101: yes
< azeem> elmo_home: Mind if I quote you on -devel? There seem to *lots*
of people unsure of this
< vorlon> Robot101: unless you have cryptographic verification of your
timestamps, it's meaningless to talk about whether a key is
already expired when deciding whether changes should be allowed
to it.
< asuffield> and how the heck can you verify timestamps like that?
< vorlon> The only question is whether it should be permitted to revoke
old self-sigs and push the expiration date back, or if PGP
should always use the earliest expiration date it can find.
< asuffield> that would be quite an interesting protocol
< vorlon> asuffield: well, the fact that it doesn't exist yet should be
a good indicator.
< elmo_home> azeem: I'm planning to post something in a bit, but do
whatever you want
< michaelw> asuffield: timestamp-authority or whatever it's called, of
course that has to be a trusted TA... :>
< azeem> elmo_home: ok, well. What about those who already got a new key
signed and sent it to you?
< elmo_home> azeem: that's part of the post; basically, unless they've
done something like revoke their old key, the new key's not
going to be accepted.. there's no need to go weakening the web
of trust for no good reason
Hopefully, this is informative to somebody until elmo will post
something more official.
bye,
Michael
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: