[hmm--think I cancelled the last message by mistake, sorry if this is a duplicate.] On Tue, Jan 07, 2003 at 06:14:12PM +1300, Nick Phillips wrote: > You may notice that several of the "old hands" have *really* old keys > in the Debian keyring. I don't know how long we think it would take > for, say, the NSA to obtain a developer's private key by brute force > (of the metaphorical kind), either with or without access to the > encrypted private key, but I am concerned that we are not sufficiently > worried about expiring keys. In the general case, key expiration (as opposed to revocation) is not useful, because keys can be *un*expired. In the case of Debian, it would be feasible to globally expire all keys out of the keyring after a fixed number of years, but I doubt you'll get the keymaster's buy-in on that idea. > It would be nice to have some kind of analysis of why we do what we do > somewhere on the web site. Is there anybody who would be in a position > to write such a document (i.e. with knowledge and available time)? I started writing a Debian PGP FAQ the last time PGP came up for discussion here, but never got to the point of having anything publishable. I'll try to get back to it and post something this week. -- Steve Langasek postmodern programmer
Attachment:
pgpL6nm_n5XcB.pgp
Description: PGP signature