Re: [Debconf-discuss] GPG keysigning?
On Thu, Jun 11, 2009 at 07:43:24PM +0200, martin f krafft wrote:
> also sprach Moray Allan <firstname.lastname@example.org> [2009.06.11.1932 +0200]:
> > I'd go for the opposite view: if you've made a new key, that's a great
> > opportunity to strengthen the web of trust by not taking part in mass
> > keysignings.
There's a tradeoff here. Ideally if you've generated a new key you'll
get absolutely everyone you *know* who also uses OpenPGP to cross sign
with you. DebConf is an ideal place to do so with people you might not
normally see. Keysignings are a good way to get a lot of users together
and cross sign, rather than each individual being bothered by everyone
else at random points. For groups that know each other well such as LUGs
they're a great idea.
However mass keysignings with the number of people involved in DebConf
simply don't encourage good signing practice. I don't know how we solve
that. I've seen the splitting things up into smaller groups approach,
but I'm not convinced about that either. Maybe we we need is a
"registry" of people who are happy to cross sign and who can be expected
to have ID/fingerprints on them for much of the conference and then
people can exchange details as part of other interactions?
Whatever happens I am of the opinion that if you're sitting around with
a 1024 bit key with SHA-1 preferences then you want to be generating a
new (larger) one before DebConf so you can start getting it integrated
into the WoT.
/-\ | 101 things you can't have too much
|@/ Debian GNU/Linux Developer | of : 29 - T-shirts.