Hello, On Wed, 20 Feb 2008, David Paleino wrote: > is there any procedure to follow in case one needs to revoke his GPG key (thus > creating a new one)? > > I mean, I have some packages in Debian, which are signed by my current key > (0x1392B174). Is it sufficient to start signing new packages with my new key? The only real reason to revoke the primary GPG key would be when there are security concerns about it like: 1. You feel that you have chosen a key size which is too small. 2. You "lost" your key in some way. 3. Your private key has become exposed. Otherwise, you can continue to use your GPG key "forever". Note that you can add different sub-keys and different e-mail identities to your primary key so you are not stuck with using the same location information. > I've also applied NM, but I'm in an early stage -- my key hasn't been > "involved" yet. In some sense your key is already "involved" since (for example) the key with which you signed your packages on mentors has entered my key-ring and is used to verify newer packages that you upload to mentors. If packages now appear on mentors signed with the new keys how can I be sure that it is the same David Paleino whose excellent packages I sponsored earlier ;-) More seriously, you should think carefully about why you want to revoke your key. Regards, Kapil. --
Attachment:
signature.asc
Description: Digital signature