Re: GPG key change
On Wed, Feb 20, 2008 at 04:23:03PM +0100, David Paleino wrote: is there any procedure to follow in case one needs to revoke his GPG key (thus creating a new one)? I mean, I have some packages in Debian, which are signed by my current key (0x1392B174). Packages in Debian are signed by a DD or DM key, which was valid (and in the keyring) at the time the package was installed. So unless you are a DM, your packages were not signed by your key (a sponsor replaces the signature with his own when sponsoring). Is it sufficient to start signing new packages with my new key? You should get some signatures on your new key so people can trust it. Then you can use it as usual. Thanks, Bas -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://pcbcn10.phys.rug.nl/e-mail.html signature.asc Description: Digital signature
GPG key change
Hi all, is there any procedure to follow in case one needs to revoke his GPG key (thus creating a new one)? I mean, I have some packages in Debian, which are signed by my current key (0x1392B174). Is it sufficient to start signing new packages with my new key? I've also applied NM, but I'm in an early stage -- my key hasn't been involved yet. Kindly, David -- . ''`. Debian maintainer | http://wiki.debian.org/DavidPaleino : :' : Linuxer #334216 --|-- http://www.hanskalabs.net/ `. `'` GPG: 1392B174 | http://snipr.com/qa_page `- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174 signature.asc Description: PGP signature
Re: GPG key change
Hello, On Wed, 20 Feb 2008, David Paleino wrote: is there any procedure to follow in case one needs to revoke his GPG key (thus creating a new one)? I mean, I have some packages in Debian, which are signed by my current key (0x1392B174). Is it sufficient to start signing new packages with my new key? The only real reason to revoke the primary GPG key would be when there are security concerns about it like: 1. You feel that you have chosen a key size which is too small. 2. You lost your key in some way. 3. Your private key has become exposed. Otherwise, you can continue to use your GPG key forever. Note that you can add different sub-keys and different e-mail identities to your primary key so you are not stuck with using the same location information. I've also applied NM, but I'm in an early stage -- my key hasn't been involved yet. In some sense your key is already involved since (for example) the key with which you signed your packages on mentors has entered my key-ring and is used to verify newer packages that you upload to mentors. If packages now appear on mentors signed with the new keys how can I be sure that it is the same David Paleino whose excellent packages I sponsored earlier ;-) More seriously, you should think carefully about why you want to revoke your key. Regards, Kapil. -- signature.asc Description: Digital signature
Re: GPG key change
Il giorno Wed, 20 Feb 2008 21:39:17 +0530 Kapil Hari Paranjape [EMAIL PROTECTED] ha scritto: Hello, Hi Kapil, The only real reason to revoke the primary GPG key would be when there are security concerns about it like: 1. You feel that you have chosen a key size which is too small. 2. You lost your key in some way. 3. Your private key has become exposed. I've somehow lost my private key for encryption. That is, I can sign anything, also encrypt, but not decrypt anything encrypted with my key. I've already added a new encryption sub-key (and works), but having lost the private part for the other subkey, I cannot revoke it. Any idea? David -- . ''`. Debian maintainer | http://wiki.debian.org/DavidPaleino : :' : Linuxer #334216 --|-- http://www.hanskalabs.net/ `. `'` GPG: 1392B174 | http://snipr.com/qa_page `- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174 signature.asc Description: PGP signature
Re: GPG key change
Hello David, On Wed, 20 Feb 2008, David Paleino wrote: I've somehow lost my private key for encryption. That is, I can sign anything, also encrypt, but not decrypt anything encrypted with my key. I've already added a new encryption sub-key (and works), but having lost the private part for the other subkey, I cannot revoke it. Any idea? Its a while since I played around with GPG but IIRC, the sub-keys are signed (and thus revoked) by the signing key. So having access to the signing key ought to be enough to generate a revocation certificate for an encryption key. Let me check. Regards, Kapil. -- signature.asc Description: Digital signature
Re: GPG key change
Il giorno Wed, 20 Feb 2008 22:08:57 +0530 Kapil Hari Paranjape [EMAIL PROTECTED] ha scritto: Its a while since I played around with GPG but IIRC, the sub-keys are signed (and thus revoked) by the signing key. So having access to the signing key ought to be enough to generate a revocation certificate for an encryption key. Let me check. You are right. In fact, seahorse (the GUI I usually use), didn't let me revoke the subkey. I then did everything with `gpg --edit-key`, and seems like everything went fine. :) Thanks, David -- . ''`. Debian maintainer | http://wiki.debian.org/DavidPaleino : :' : Linuxer #334216 --|-- http://www.hanskalabs.net/ `. `'` GPG: 1392B174 | http://snipr.com/qa_page `- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174 signature.asc Description: PGP signature