Re: Migrating to GPG - A mini-HOWTO
On Tue 14 Sep 1999, Michael Stone wrote:
> On Tue, Sep 14, 1999 at 11:55:39PM +0200, Martin Schulze wrote:
> > Michael Stone wrote:
> > > Not really. What if the pgp key is compromised? The original owner can
> > > release a revocation certificate for the pgp key, but if someone creates
> > > a new gpg key that you sign based on the (compromised) pgp key then
> > > you've possibly validated a key that the original owner cannot revoke.
> > > That would be bad.
> >
> > So what do you propose? Not using any digital signing at all?
>
> How does that follow at all? Take a breath and calm down.
I think his point is that if you can't trust a pgp signature to
sign a gpg key, why should trust a pgp signature to do anything
at all, e.g. accept an uploaded package. Seems like a reasonable
argument.
Paul Slootman
--
home: paul@wurtel.demon.nl http://www.wurtel.demon.nl/
work: paul@murphy.nl http://www.murphy.nl/
debian: paul@debian.org http://www.debian.org/
isdn4linux: paul@isdn4linux.de http://www.isdn4linux.de/
Reply to: