[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Big problem - GnuPG key deleted



On Tue, Jul 15, 2003 at 08:39:41AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
Content-Description: signed data
> On Monday 14 July 2003 23:48, Steve Langasek wrote:
> > On Mon, Jul 14, 2003 at 03:35:43PM +0200, Robert Jördens wrote:
> > > So sign all the requests about revoking signatures with your new and
> > > trusted key!

> > Anyone who trusts the identity of the owner of the new key based only on
> > the above evidence immediately gets marked as untrusted in my keyring.

> why? The requirement is for the new key to be trusted. That would mean that it 
> is signed by enough [trusted] people. 

> I have an old key, signed by a few people. I have a new key, signed by a few 
> people (partly the same, perhaps, as signed the old key). Now when a 
> new-key-signed request to revoke sigs on the old key comes in, why distrust 
> it when the new key is basically trusted?

A keyholder who makes signing decisions based on what *other* people
have signed adds nothing of value to the web of trust -- and can do a
lot of damage by distorting trust metrics.

If your new key is trusted, why is it important to get me to revoke my
signature on the old key?  If it's important, why should I agree to
revoke the signature without first-hand evidence of your identity?

-- 
Steve Langasek
postmodern programmer

Attachment: pgpVhvbhevsO7.pgp
Description: PGP signature


Reply to: