monotone-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] Dealing with lost key

From: Brian May
Subject: Re: [Monotone-devel] Dealing with lost key
Date: Sun, 18 Jan 2009 20:12:38 +1100
User-agent: Thunderbird 2.0.0.19 (X11/20090105) 
dlakelan wrote:
> Person A has been contributing to a project that Person B is
> participating in. Person A trusts person B's key. Person B begins to
> write code that Person A does not approve of (say it has some hidden
> functionality, backdoors, etc). person A wants to invalidate person
> B's keys for all future contributions, but retain the work that was
> done by person B before. Person A also wants to communicate to other
> members of the collaboration that he does not trust person B, and that
> he has reviewed person B's code and only approves of some of the
> changes...

I would simplify this to a even more common problem:

Person A, after numerous contributions to the project discovers is
laptop computer has been stolen, and as such cannot be sure the security
of his private key is still intact.

He wants to be able to indicate to the project at large that all
existing revisions are Ok, but future revisions are not.

How does monotone tell which are the old revisions and which are the new
ones? Note: You cannot trust the time saved in certificates, it is
trivial to update the system clock to an earlier date and commit changes.

Maybe just mark the key as bad and require somebody manually resign all
good code with a good key?

Brian May
reply via email to
[Prev in Thread] Current Thread [Next in Thread]