Re: [Debconf-discuss] GPG keysigning?

To: Christian Perrier <bubulle@debian.org>
Cc: debconf-discuss@lists.debconf.org
Subject: Re: [Debconf-discuss] GPG keysigning?
From: Micah Anderson <micah@debian.org>
Date: Thu, 11 Jun 2009 18:32:26 -0400
Message-id: <[🔎] 20090611223226.GZ14701@pond.riseup.net>
In-reply-to: <[🔎] 20090611163050.GF21892@mykerinos.kheops.frmug.org>
References: <[🔎] 20090611045653.GW11280@mykerinos.kheops.frmug.org> <[🔎] 20090611064529.GC2659@debianrules.debiancolombia.org> <[🔎] 20090611163050.GF21892@mykerinos.kheops.frmug.org>

* Christian Perrier <bubulle@debian.org> [2009-06-11 13:04-0400]:
> 
> Therefore, after the quite big hype where everybody (incl. me)
> regenerated a key

Although I agree that the attack is theoretical, I would not agree that
encouraging people to transition is 'hype', but rather a proactive
approach towards the reality of the future and taking pragmatic steps
towards ensuring that our currently reliable WoT is not significantly
compromised when the inevitable happens. 

I have not heard anyone assert that a SHA-1 compromise is *not* coming,
the only disagreement is about when it *will* happen. Based on this, we
can all agree that at *some point* we all will need to transition. It
seems to me like a dangerous mistake to shelve this momentum for an
arbitrary time in the future, without a concrete alternative
proposal. Lets do it now, while we are thinking about it, while we have
the opportunity to meet face-to-face, and get it over with so later,
(when we have forgotten about this whole thing and a demonstrable attack
does come out) we don't look back and wonder why we didn't use this
opportunity to do something about it. As leaders in the OpenPGP web of
trust, I think it is our responsibility to lead, rather than sit back
and wait to react. Lets show the world that we care about security and
are willing to do something about it, rather than sit in the corner
while people take cheap-shots at us for the "OpenSSL debacle". 

With that in mind, the Debian keysigning events are one of the best
opportunities for strengthening the Web of Trust, and it would be a
missed opportunity to not give the transition a shot in the arm to
continue its momentum not only internally in Debian, but externally to
the rest of the tech community.

> ...not much noise was done about this.

I did not understand what you meant by this. 

> I'm not sure that many DD have had their key changed in the keyring
> right now...so I think it's still worth to sign "old" keys.

Someone could ask noodles for some stats, I know that my key was changed
with a simple RT request. However, my key was only changed because I had
cross-signatures from other DDs that I obtained from a local keysigning
party as the best way to get those is by meeting folks in person and
exchanging keys. This sounds like a perfect opportunity for a keysigning
party, I know one that is coming up...

micah

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- [Debconf-discuss] GPG keysigning?
  - From: Christian Perrier <bubulle@debian.org>
- Re: [Debconf-discuss] GPG keysigning?
  - From: Aníbal Monsalve Salazar <anibal@v7w.com>
- Re: [Debconf-discuss] GPG keysigning?
  - From: Christian Perrier <bubulle@debian.org>

Prev by Date: Re: [Debconf-discuss] GPG keysigning?
Next by Date: Re: [Debconf-discuss] GPG keysigning?
Previous by thread: Re: [Debconf-discuss] GPG keysigning?
Next by thread: Re: [Debconf-discuss] GPG keysigning?
Index(es):
- Date
- Thread