Re: Question about gpg key.

To: debian-newmaint@lists.debian.org
Cc: Dmitry E. Oboukhov <unera@debian.org>,Eugene V. Lyubimkin <jackyf@debian.org>
Subject: Re: Question about gpg key.
From: Boris Pek <Tehnick-8@yandex.ru>
Date: Wed, 11 Jan 2012 21:56:20 +0200
Message-id: <[🔎] 699621326311780@web2.yandex.ru>
In-reply-to: <[🔎] 20120111161737.GB19265@gwolf.org>
References: <[🔎] 293861326268287@web75.yandex.ru> <[🔎] 279871326268948@web97.yandex.ru> <[🔎] 20120111161737.GB19265@gwolf.org>

Hi,

Thank you very much for replies.

> If I were to be your sponsor, I could do
> everything without you even having a GPG key.

Hmm, it looks like a very unusual way of maintaining packages. Sponsored
maintainers usually use mentors.debian.net and they must sign their packages
before upload.

> But anyway - Create a new key. Try to get it signed. Even if the old
> one has many signatures, start getting people (specially those better
> connected) to sign the new one. *Do* sign the new key with the old
> one, to ensure people who already know you it is still you doing
> this.

Sorry but you miss the beginning of this thread [1]. I have the new key already.
Following the replies I understand that there is no necessary in additional
actions when sponsored maintainer decides to change his (not signed) key.

> Since it hasn't been mentioned in this thread, Ana's page on creating a
> new 4096R key and configuring gnupg properly was extremely helpful to me:
> http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/

Yes, this link is present in wiki page. I didn't use these instructions but they
look very useful.

>>  Should I sign my new key by old one or make any other action?
>
> Assuming your two keys have the same User IDs on them:
>
> Signing the new key with the old one is a way of making a strong
> cryptographic assertion that the holder of the old key believes that the
> new key is legitimate.
>
> If that's the case, i don't see why you wouldn't want to make such an
> assertion.
>
>>  Or can I just use new key as it is?
>
> You can of course use it as it is; but making the assertion mentioned
> above (and writing and publishing a transition statement signed by both
> keys, e.g. http://fifthhorseman.net/key-transition-2007-06-15.txt) will
> help to convince some of the folks who signed your old key to sign the
> new one.

Ok, I understand this schema. But in my case nobody signed by the old key and
nobody have signed it. So there is no reason to sign my new key by the old one.

Best regards,
Boris


[1] http://lists.debian.org/debian-newmaint/2012/01/threads.html#00071

Reply to:

Follow-Ups:
- Re: Question about gpg key.
  - From: Jakub Wilk <jwilk@debian.org>

References:
- Re: Question about gpg key.
  - From: Boris Pek <Tehnick-8@yandex.ru>
- Re: Question about gpg key.
  - From: Boris Pek <Tehnick-8@yandex.ru>
- Re: Question about gpg key.
  - From: Gunnar Wolf <gwolf@gwolf.org>

Prev by Date: Re: Question about gpg key.
Next by Date: Re: Question about gpg key.
Previous by thread: Re: Question about gpg key.
Next by thread: Re: Question about gpg key.
Index(es):
- Date
- Thread