[kde-linux] [OT] new pgp key

Kevin Krammer kevin.krammer at gmx.at
Tue Sep 29 10:04:18 BST 2009

On Tuesday, 2009-09-29, g wrote:
> Kevin Krammer wrote:
> > Well, you sent the information about the change to a mailinglist but you
> > did not include the revoked key not any information where to get it.
> please excuse my understanding of revocation keys. it was my understanding
> that such had to be used when removing key from a key issuing site and not
> necessary from an individual.

I see.
Revocation means that the key is marked (cryptographically validatable) as not 
being valid anymore. Of course this marking has still to be distributed to 
people using the key for validating. 

> as such, when i send a new key to someone who is in my key list, they have
> ability to remove my old key.

True, but this is a manual process and could be forgotten (i.e. the new key 
could be added but the old kept as well).

Also, assuming you have signed other people's keys, anyone on your key chain 
might have sent your key to others so they could validate your signature on 
that other key.
Just telling your direct peers about a new key without providing them with the 
revoked key for them to distribute further, means that their keys now have a 
signature that is considered valid by GPG software but actually isn't anymore 
because the signing key is "lost".

> as for sending information about change, there was a link included with a
> unique 'subject:' that i set a filter for to centralize request.
> if you did not see this post, how are you aware that i was using a new key?

Well, I thought this would probably just retrieve the new key, not also the 
revoked one.
If you are distributing a public keyring including the new one and the revoked 
old one, then that's obviously fine.

Anyway, the tedious task is to build up your web of trust again. Losing all 
those signatures is the worst part of a key becoming invalid.


Kevin Krammer, KDE developer, xdg-utils developer
KDE user support, developer mentoring
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde/attachments/20090929/b2511fe1/attachment.sig>
-------------- next part --------------
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.

More information about the kde mailing list