Henrique de Moraes Holschuh <[EMAIL PROTECTED]> writes: >> > We do not revoke keys because they are not invalid. We do not revoke the >> > signatures on UIDs mentioning @debian.org, because that would cause a lot >> > of >> > trouble for the person to come back to the Debian project, I think. One >> > cannot revoke a revocation certificate, AFAIK... >> >> Yes, you can. Just sign the key again. Recent GnuPG versions will >> handle this correctly. > > Will that work correctly in remote keys (i.e. if one key that HAS the > revocation signature on top of the old signature, and fetches the new > signature, does it wipe the old sig and rev. sig?)
It doesn't wipe it (both signatures are still there), but it reverses the effect of the revocation. >> I don't think it's a good idea to express trust by membership in the >> Debian keyring. Why can't we use bare OpenPGP for that? > > We don't use that because (AFAIK): > > 1. It is slower by a factor of 10, if not more. This will be fixed in GnuPG 1.0.7. > If (1) is not a problem anymore, and you are offering to fix all the > scripts... Uh-oh... -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
