On Tuesday, 2009-09-29, g wrote: > Kevin Krammer wrote: > > Well, you sent the information about the change to a mailinglist but you > > did not include the revoked key not any information where to get it. > > please excuse my understanding of revocation keys. it was my understanding > that such had to be used when removing key from a key issuing site and not > necessary from an individual. I see. Revocation means that the key is marked (cryptographically validatable) as not being valid anymore. Of course this marking has still to be distributed to people using the key for validating. > as such, when i send a new key to someone who is in my key list, they have > ability to remove my old key. True, but this is a manual process and could be forgotten (i.e. the new key could be added but the old kept as well). Also, assuming you have signed other people's keys, anyone on your key chain might have sent your key to others so they could validate your signature on that other key. Just telling your direct peers about a new key without providing them with the revoked key for them to distribute further, means that their keys now have a signature that is considered valid by GPG software but actually isn't anymore because the signing key is "lost". > as for sending information about change, there was a link included with a > unique 'subject:' that i set a filter for to centralize request. > > if you did not see this post, how are you aware that i was using a new key? Well, I thought this would probably just retrieve the new key, not also the revoked one. If you are distributing a public keyring including the new one and the revoked old one, then that's obviously fine. Anyway, the tedious task is to build up your web of trust again. Losing all those signatures is the worst part of a key becoming invalid. Cheers, Kevin -- Kevin Krammer, KDE developer, xdg-utils developer KDE user support, developer mentoring
Attachment:
signature.asc
Description: This is a digitally signed message part.
___________________________________________________ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
