[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG key change


On Wed, 20 Feb 2008, David Paleino wrote:
> is there any procedure to follow in case one needs to revoke his GPG key (thus
> creating a new one)?
> I mean, I have some packages in Debian, which are signed by my current key
> (0x1392B174). Is it sufficient to start signing new packages with my new key?

The only real reason to revoke the primary GPG key would be when
there are security concerns about it like:
	1. You feel that you have chosen a key size which is too
	2. You "lost" your key in some way.
	3. Your private key has become exposed.

Otherwise, you can continue to use your GPG key "forever". Note that
you can add different sub-keys and different e-mail identities to
your primary key so you are not stuck with using the same location

> I've also applied NM, but I'm in an early stage -- my key hasn't been
> "involved" yet.

In some sense your key is already "involved" since (for example) the
key with which you signed your packages on mentors has entered my
key-ring and is used to verify newer packages that you upload to
mentors. If packages now appear on mentors signed with the new keys
how can I be sure that it is the same David Paleino whose excellent
packages I sponsored earlier ;-)

More seriously, you should think carefully about why you want to
revoke your key.



Attachment: signature.asc
Description: Digital signature

Reply to: