Re: Removing < 2048 bit keys from the Debian keyrings

To: debian-devel@lists.debian.org
Subject: Re: Removing < 2048 bit keys from the Debian keyrings
From: Andreas Tille <andreas@an3as.eu>
Date: Tue, 2 Sep 2014 10:01:29 +0200
Message-id: <[🔎] 20140902080129.GD20613@an3as.eu>
In-reply-to: <20140831180743.GA18518@upsilon.cc>
References: <20140831033154.GJ13074@earth.li> <5403149F.40209@p10link.net> <20140831180743.GA18518@upsilon.cc>

On Sun, Aug 31, 2014 at 11:07:43AM -0700, Stefano Zacchiroli wrote:
> On Sun, Aug 31, 2014 at 01:27:11PM +0100, peter green wrote:
> > If you have signed someones old key is it considered "responsible" to
> > sign their new key based on a transition statement signed by the old
> > key? or is a new face-to-face meeting required? I've seen plenty of
> > (sometimes conflicting) advice on signing keys of a person you have
> > never signed keys for before but not much on the transition situation.
> 
> This topic is in the realm of personal signing policies, so it's
> probably normal to have conflicting advice among us.

[posted something like this on debian-private but it should rather be
 in public]

Signing a new key according to a transition statement IMHO just supports
the "I'm ranking higher in the signatures count" competition.  I have
never signed any transition request since I'm really convinced about the
fact that GPG signing is not a matter of technically checking a
fingerprint and uploading a signature but rather learning to know your
fellow DDs and seeing what *person* is behind a certain ID.  Finally you
assign a key to a person and not only to its ID card which only proves
that the government of the country assumes that the person has this ID.
>From my point of view our web of trust should be based on personal
contacts rather than technical documents.  So meeting this person again
and sign the new key is way more important than rather help the person
to regain the original signature count.

And yes, I know there are people who have trouble meeting a DD but I
have never met one of them (probably due to this fact) and so even this
argument is not valid in my case (and yes, I would consider helping out
in trouble if it would be *really* needed).
 
> In practice, this might become a fairly strict requirement, and I've
> keysigned on the basis of a transition statement only twice over the
> past 5 years. YMMV.

I had several chances to meet the people I met before in the last five
years and so there was no point for me to sign any transition statement.
I also never minded issuing a transition statement myself and I consider
my key resonably integrated into the web of trust even if it is not
featuring the number of signatures of my old key.

Kind regards

     Andreas.

-- 
http://fam-tille.de

Reply to:

Prev by Date: Re: Possible abuse of dpkg-deb -z9 for xz compressed binary packages
Next by Date: Bug#760262: ITP: ruby-kakasi-ffi -- A Ruby binding for KAKASI implemented with Fiddle/DL/FFI
Previous by thread: Bug#760230: ITP: python-sk1libs -- Set of python non-GUI extensions for sK1 Project
Next by thread: Re: Removing < 2048 bit keys from the Debian keyrings
Index(es):
- Date
- Thread