Migrating keys

David Shaw dshaw at jabberwocky.com
Mon Nov 24 19:59:46 CET 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Nov 25, 2003 at 01:20:34AM +0100, Jesús Roncero Franco wrote:
> On Tuesday 25 November 2003 00:09, David Shaw wrote:
> > The problem with this is that lacking some additional information,
> > your old signers do not know if you are you, or if you are someone
> > else who has stolen your old key.
> 
> And then, how trust a signed and encrypted message from someone? I mean, if 
> someone of your signers send you a message, how to know if it is a good 
> message or a message from someone who stole the key?

These are two different problems.  In the case of someone presenting
me with a signed document, I may accept it or not depending whatever
criteria I want to use (how much validity I give the signing key,
mostly).  In the case of signing a key, I am making a public assertion
of verification, which is a substantially more rigorous check.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.4-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iHEEARECADEFAj/CqYEqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk
L2tleXMuYXNjAAoJEOJmXIdJ4cvJxz4AoNr6pGGwjEC/72qYdKELHqSVApvMAKCj
kzC0zsowN+lW7/5gyNfOoRgm+Q==
=+CPh
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list