A request for those attending key signing parties
At the most recent Linux.conf.au pgp keysigning, I noticed a number of
Debian developers present. Like me, they had new keys that they offered
up for signing, presumably so they could start replacing their 1024DSA
keys with stronger keys.
If you are signing keys where you've verified the identity of fellow
Debian developers at a key signing party, please do us all a favor and
don't just sign it with your brand-new key --- but *also* sign the DD's
key with whatever key you you currently have currently in the Debian
Otherwise, you could end up with a situation where a whole group of DD's
have each other's keys certified, but only signed with their new keys
--- which isn't useful when they are submitting their keys to the Debian
keyring maintainer for inclusion.
What I did was I signed the keys that I verified with *both* my new key
and the key I currently have in the Debian keyring. However, to date,
although I've received key signatures from multiple people whom I know
to be Debian developers, my new key is only signed by one key which is
currently in the debian keyring. (Thanks to Brendan O'Dea!) At the
moment my new 4096 bit RSA key is waiting until I get more signatures,
or some of the new DDs' keys that have signed my key get accepted into
the Debian keyring.