[Catalog-sig] getting the public key when --sign is used
Donald Stufft
donald.stufft at gmail.com
Tue Nov 20 18:49:25 CET 2012
On Tuesday, November 20, 2012 at 3:41 AM, M.-A. Lemburg wrote:
> For the second requirement, updating the .asc file would be
> a solution. Alternatively, the packagers could check the revocation
> date and then still allow packages to be installed which were signed
> before the revocation happened.
No, if a key is revoked it can no longer be used. I may discover that
my key has been compromised months after it was actually compromised
I would then revoke it. I have no idea if the person who (in the hypothetical)
signed any packages with my key, or for how long they've been doing so.
Once a key is revoked you must not trust it for anything.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121120/5505058e/attachment.html>
More information about the Catalog-SIG
mailing list