[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unable to fix my bugs -- Debian keyring -- vacation

On Mon, Jun 24, 2002 at 03:39:47PM +0200, Loic Dachary wrote:
> 	I've collected keys from various developers (including myself)
> in a similar situation (key expired + renewed). I sent a request with
> these keys + a script to check them in order to facilitate the work
> of keyring-maint + a calendar of debian developers who will suffer of the
> same problem. It was last month and I got no reply at all.

Well, some time ago elmo talked about expired keys in #debian-devel:

< Robot101> if a key has expired on the keyservers, the best thing to do
        is make a new one, sign your new with the old, and revoke the
        old, right?
< Robot101> then get someone else to sign the new, and grovel to elmo?
< elmo_home> Robot101: no, change the expiration date, send it to
< vorlon> There's no clear consensus in the PGP-using community whether
        it should be possible to push back a key's expiration date once
< Robot101> elmo_home: even if it's expired on the public and debian
< vorlon> Oh. But, if elmo says it's ok, then it's ok. :)
< elmo_home> Robot101: yes
< azeem> elmo_home: Mind if I quote you on -devel? There seem to *lots*
        of people unsure of this
< vorlon> Robot101: unless you have cryptographic verification of your
        timestamps, it's meaningless to talk about whether a key is
        already expired when deciding whether changes should be allowed
	to it.
< asuffield> and how the heck can you verify timestamps like that?
< vorlon> The only question is whether it should be permitted to revoke
        old self-sigs and push the expiration date back, or if PGP
        should always use the earliest expiration date it can find.
< asuffield> that would be quite an interesting protocol
< vorlon> asuffield: well, the fact that it doesn't exist yet should be
        a good indicator.
< elmo_home> azeem: I'm planning to post something in a bit, but do
        whatever you want
< michaelw> asuffield: timestamp-authority or whatever it's called, of
        course that has to be a trusted TA... :>
< azeem> elmo_home: ok, well. What about those who already got a new key
        signed and sent it to you?
< elmo_home> azeem: that's part of the post; basically, unless they've
        done something like revoke their old key, the new key's not
        going to be accepted.. there's no need to go weakening the web
        of trust for no good reason

Hopefully, this is informative to somebody until elmo will post
something more official.



To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: