Re: Migrating to GPG - A mini-HOWTO
Jason Gunthorpe <jgg@ualberta.ca> writes:
> On Tue, 14 Sep 1999, Martin Schulze wrote:
>
> > > Nono, the new key must have a signature on it from the old RSA key (this
> > > is posisble) then you can send it in a signed message to the keyring
> > > people. Otherwise our web of trust is totally trashed, very bad.
> >
> > Nono! The new key does not need to have a signature from the old pgp
> > key on it. You can still create a new web of trust and only use the
> > new key. You do not have to "mess" around with the rsa module. This
> > is an option, not a must.
>
> But we decided that we do not -want- to create a new web of trust, it is
> too much work and totally unnecessary. The RSA patent expires in 11
> months, it is wastefull to throw everything away now.
I don't remember this being discussed on any list before. It doesn't hurt
to extend the web to an unencumbered keyspace, as long as it is done properly.
> Debian's position should pretty much summarised by the following items:
> 1) Use of PGP of any version is strongly discouraged, particularly PGP
> 2.x
> 2) Creation of new PGP2.x keys is strongly discouraged
> 3) The use of IDEA or any other patented algorithm for encrypted emails
> is discouraged [largely unimportant, encryption stuff is minor]
> 4) Maintaing our web of trust is important. New keys should be
> always be signed by older keys - where possible.
> 5) The continued use of PGP 2.x keys will be supported for the
> forseeable future, however they are considered to be 'legacy' items.
> 6) New keys should not be created using ANY patented algorithms. No
> new patented algorithms [public key, digest or symetric] will ever be
> supported by Debian.
> 7) Signing new keys based on a signed email from the key holder is
> strongly discouraged. Face-to-Face verification before any key
> signature is strongly encouraged.
> 8) Participants of 'signing parties' are encouraged to use OpenPGP keys
> (remember that a PGP 2.x key cannot be signed by an OpenPGP key
> [AFIAK])
> 9) Cryptographic material [signatures, keys, rings, etc] should be in
> OpenPGP format whenever possible.
>
> That is the basic outline of the transition plan we have been discussing
> on and off for months.
I don't have a problem with 1-7, however a transition strategy away from
RSA type keys would be nice, as they continue to use the non-free gpg-rsa
package. Waiting until the patent expires seems like somewhat of a cop out.
8 and 9 I'd need to seek more information about.
> [Incidently if there is no big disagreement to the above 9 points I will
> make a posting to devel-announce with this as official word]
No, please allow a reasonable time for discussion.
Martin.
Reply to: