Migrating keys

Adrian 'Dagurashibanipal' von Bidder avbidder at fortytwo.ch
Wed Nov 26 08:40:02 CET 2003

On Tuesday 25 November 2003 20:49, Neil Williams wrote:
> On Monday 24 Nov 2003 10:49 pm, Jens Kubieziel wrote:

> I've thought about that before and I've put a page on the DCLUG website
> that outlines what I hope is a decent method. Now's as good a time as any
> to ask if others think it'll work!
> http://www.dclug.org.uk/linux_doc/gnupgsign.html#transfer

It's not watertight. If I have both your secret key and your email account, I 
can do all of this, and have in the end a trusted key to your name where you 
don't have the secret key.  Granted, I'll need coninued access to your mail 
account, but in some circumstances this may be easy.

I think it's important to think again about what David said: a signature on a 
key is a public statement. It's not just that you (as the recipient of such a 
'sign my new key' request) believe that nothing bad is going on, but you are 
publicly asserting that the key is genuine, and others rely on this. Possibly 
to do things with expensive real-world consequences if you are wrong (sending 
passwords, ...)

-- vbi

featured link: http://www.pool.ntp.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 331 bytes
Desc: signature
Url : /pipermail/attachments/20031126/b6c324f5/attachment.bin

More information about the Gnupg-users mailing list