Migrating keys

Atom 'Smasher' atom at suspicious.org
Thu Nov 27 12:29:04 CET 2003


> > another observation, is that a signed email [claiming to be] from bob
> > saying:
> > 	my old key isn't good any more, here's my new key...
> >
> > (even though many of us would not trust it, at face value) really has just
> > as much validity as a new sub-key (which most of us would trust, at face
> > value) because both are signed by bob's signing key, which we trust (and
> > may have certified to trust) belongs to bob.... social aspects aside, is
> > there really a technical difference between trusting a new sub-key and
> > trusting a signed email, like above? (i propose there is no difference)
>
> There might be not a big difference between trusting a new subkey and trusting
> a new key on the grounds of the above email. BUT (and it's the same argument
> that came up in this thread already), it's a big difference between trusting
> a new subkey for encrypting messages and *signing* a new key, which means
> that other people then are going to trust that new key based on your belief.
>
> All signatures on a key have a date - I think it is entierly plausible to
> implement a trust model where older signatures have less impact on key trust.
> Independently of the expiration date which is set by the signer, this would
> be influenced only by the user of a public key.
=====================================================

but, if i sign your key, and you add a sub-key, that carries my signature,
just the same as your original key that i signed... my understanding of
PGP/GPG is that it's easy to "go back in time" and add a sub-key, so it
would appear that the sub-key was also signed.

in one case (based on a signed email) one might (or might not) explicitly
sign a new key... in the other case (a new sub-key is generated) one has
implicitly (and unknowingly) signed the new sub-key.

anyway, it does kinda make sense that a trust model should devalue
signatures as they get older....


 	...atom

 _______________________________________________
 PGP key - http://smasher.suspicious.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

	"Beware, a record of the books you borrow may end up
	 in the hands of the FBI. And if the FBI requests
	 your records, librarians are prohibited by law from
	 telling you about it. Questions about this policy
	 should be directed to Attorney General John Ashcroft,
	 Department of Justice, Washington, D.C. 20530."
		-- Sign greeting patrons entering all 10 of
		the county libraries in Santa Cruz, California




More information about the Gnupg-users mailing list