Migrating keys
Adrian 'Dagurashibanipal' von Bidder
avbidder at fortytwo.ch
Wed Nov 26 08:40:02 CET 2003
On Tuesday 25 November 2003 20:49, Neil Williams wrote:
> On Monday 24 Nov 2003 10:49 pm, Jens Kubieziel wrote:
> I've thought about that before and I've put a page on the DCLUG website
> that outlines what I hope is a decent method. Now's as good a time as any
> to ask if others think it'll work!
> http://www.dclug.org.uk/linux_doc/gnupgsign.html#transfer
[...]
It's not watertight. If I have both your secret key and your email account, I
can do all of this, and have in the end a trusted key to your name where you
don't have the secret key. Granted, I'll need coninued access to your mail
account, but in some circumstances this may be easy.
I think it's important to think again about what David said: a signature on a
key is a public statement. It's not just that you (as the recipient of such a
'sign my new key' request) believe that nothing bad is going on, but you are
publicly asserting that the key is genuine, and others rely on this. Possibly
to do things with expensive real-world consequences if you are wrong (sending
passwords, ...)
cheers
-- vbi
--
featured link: http://www.pool.ntp.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 331 bytes
Desc: signature
Url : /pipermail/attachments/20031126/b6c324f5/attachment.bin
More information about the Gnupg-users
mailing list