On Tue 14 Sep 1999, Michael Stone wrote: > On Tue, Sep 14, 1999 at 11:55:39PM +0200, Martin Schulze wrote: > > Michael Stone wrote: > > > Not really. What if the pgp key is compromised? The original owner can > > > release a revocation certificate for the pgp key, but if someone creates > > > a new gpg key that you sign based on the (compromised) pgp key then > > > you've possibly validated a key that the original owner cannot revoke. > > > That would be bad. > > > > So what do you propose? Not using any digital signing at all? > > How does that follow at all? Take a breath and calm down.
I think his point is that if you can't trust a pgp signature to sign a gpg key, why should trust a pgp signature to do anything at all, e.g. accept an uploaded package. Seems like a reasonable argument. Paul Slootman -- home: [EMAIL PROTECTED] http://www.wurtel.demon.nl/ work: [EMAIL PROTECTED] http://www.murphy.nl/ debian: [EMAIL PROTECTED] http://www.debian.org/ isdn4linux: [EMAIL PROTECTED] http://www.isdn4linux.de/
