* Christian Perrier <bubulle@debian.org> [2009-06-11 13:04-0400]: > > Therefore, after the quite big hype where everybody (incl. me) > regenerated a key Although I agree that the attack is theoretical, I would not agree that encouraging people to transition is 'hype', but rather a proactive approach towards the reality of the future and taking pragmatic steps towards ensuring that our currently reliable WoT is not significantly compromised when the inevitable happens. I have not heard anyone assert that a SHA-1 compromise is *not* coming, the only disagreement is about when it *will* happen. Based on this, we can all agree that at *some point* we all will need to transition. It seems to me like a dangerous mistake to shelve this momentum for an arbitrary time in the future, without a concrete alternative proposal. Lets do it now, while we are thinking about it, while we have the opportunity to meet face-to-face, and get it over with so later, (when we have forgotten about this whole thing and a demonstrable attack does come out) we don't look back and wonder why we didn't use this opportunity to do something about it. As leaders in the OpenPGP web of trust, I think it is our responsibility to lead, rather than sit back and wait to react. Lets show the world that we care about security and are willing to do something about it, rather than sit in the corner while people take cheap-shots at us for the "OpenSSL debacle". With that in mind, the Debian keysigning events are one of the best opportunities for strengthening the Web of Trust, and it would be a missed opportunity to not give the transition a shot in the arm to continue its momentum not only internally in Debian, but externally to the rest of the tech community. > ...not much noise was done about this. I did not understand what you meant by this. > I'm not sure that many DD have had their key changed in the keyring > right now...so I think it's still worth to sign "old" keys. Someone could ask noodles for some stats, I know that my key was changed with a simple RT request. However, my key was only changed because I had cross-signatures from other DDs that I obtained from a local keysigning party as the best way to get those is by meeting folks in person and exchanging keys. This sounds like a perfect opportunity for a keysigning party, I know one that is coming up... micah
Attachment:
signature.asc
Description: Digital signature