Petter Reinholdtsen dijo [Thu, Aug 06, 2009 at 12:16:30PM +0200]: > [Jan Wagner] > > .oO(*note* don't keysign with Petter Reinholdtsen for now) > > No problem. I do not believe we know each other, so that is just as > it should be. :)
Old keys tend to have old mail addresses — as for me, since I started using 1024/8BB527AF I switched my main mail address twice and added/deleted a couple of identities. Yes, I revoked the identities I don't have access anymore. If somebody registers gwolf.cx, or somebody gets my old account at campus.iztacala.unam.mx, they will get my mails. It is extremely unlikely they will be able to make any sense out of my GPG-crypted mails at that address. So, what I am losing if you just upload the keys to the server? Very little, but still: Some people might see you (hypothetically - It is _not_ the case) signed my key in 2009 and decide to write me a personal, unencrypted mail to said addresses before checking if the address does reach me - after all, you (would) have just validated it! Even worse: What would happen if I were stupid enough back on 2003 to leave a copy of my private key on that machine when I quit that job? Well, they would have my well-signed key _and_ control of one of its identities. Even if it is people unable to properly "bake" a Debian package, they could (ab)use my trusted identity. It's "just" a matter of them breaking my GPG passphrase :-} Of course, were I to get crypted mails there, we lose nothing. And I really really don't expect them to get my private key. Still, it is a possibility better left closed. -- Gunnar Wolf • [email protected] • (+52-55)5623-0154 / 1451-2244 _______________________________________________ Debconf-discuss mailing list [email protected] http://lists.debconf.org/mailman/listinfo/debconf-discuss
