[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] Re: key-management problem
|
From: |
Matt Johnston |
|
Subject: |
Re: [Monotone-devel] Re: key-management problem |
|
Date: |
Sat, 18 Jun 2005 00:41:58 +0800 |
|
User-agent: |
Mutt/1.5.9i |
On Thu, Jun 16, 2005 at 05:12:02PM +0100, Bruce Stephens wrote:
> If you resign something with a different key, then its identity has to
> change. So this'll only be possible if you can resign all the
> dependent certs, too.
>
> [...]
>
> Hmm, I guess it all depends on the specifics. I think an easy fix has
> to be impossible, though: you can't just resign a cert with a changed
> key or keyid, because certs dependent on that were signed with the
> older key,keyid pair, and so they can't remain valid.
What do you mean by "dependent certs"? Certificates don't
contribute to the intrinsic "identity" of a revision, so
child revisions won't be affected if you change any certs
of a parent. If you have revisions A -> B -> C, with A and C
signed by Alice, and B signed by Bob, it would be fine for
Alice to duplicate Bob's signatures on B, and optionally
remove Bob's signatures on B.
In terms of code/automation to do the re-signing, a script
similar to http://matt.ucc.asn.au/monotone/mto-branch-rename
might do the trick? (iirc that script is based on something
previously posted to this list, though I can't remember who
sent it).
If I'm thinking of the wrong type of thing, could you
clarify? :)
Matt