[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: Migrating keys
From: "Adrian 'Dagurashibanipal' von Bidder" <avbidder () fortytwo ! ch>
Date: 2003-11-26 7:40:02
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Tuesday 25 November 2003 20:49, Neil Williams wrote:
> On Monday 24 Nov 2003 10:49 pm, Jens Kubieziel wrote:
> I've thought about that before and I've put a page on the DCLUG website
> that outlines what I hope is a decent method. Now's as good a time as any
> to ask if others think it'll work!
> http://www.dclug.org.uk/linux_doc/gnupgsign.html#transfer
[...]
It's not watertight. If I have both your secret key and your email account, I
can do all of this, and have in the end a trusted key to your name where you
don't have the secret key. Granted, I'll need coninued access to your mail
account, but in some circumstances this may be easy.
I think it's important to think again about what David said: a signature on a
key is a public statement. It's not just that you (as the recipient of such a
'sign my new key' request) believe that nothing bad is going on, but you are
publicly asserting that the key is genuine, and others rely on this. Possibly
to do things with expensive real-world consequences if you are wrong (sending
passwords, ...)
cheers
-- vbi
--
featured link: http://www.pool.ntp.org
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic