Re: Migrating to GPG - A mini-HOWTO

To: Jason Gunthorpe <jgg@ualberta.ca>
Cc: Martin Schulze <joey@infodrom.north.de>, Debian Development <debian-devel@lists.debian.org>
Subject: Re: Migrating to GPG - A mini-HOWTO
From: Martin Mitchell <martin@debian.org>
Date: 15 Sep 1999 00:58:34 +1000
Message-id: <[🔎] 87vh9dleud.fsf@faure.nls.net.au>
In-reply-to: Jason Gunthorpe's message of "Tue, 14 Sep 1999 00:14:42 -0600 (MDT)"
References: <[🔎] Pine.LNX.3.96.990913233410.3403d-100000@Wakko.deltatee.com>

Jason Gunthorpe <jgg@ualberta.ca> writes:

> On Tue, 14 Sep 1999, Martin Schulze wrote:
> 
> > > Nono, the new key must have a signature on it from the old RSA key (this
> > > is posisble) then you can send it in a signed message to the keyring
> > > people. Otherwise our web of trust is totally trashed, very bad.
> > 
> > Nono!  The new key does not need to have a signature from the old pgp
> > key on it.  You can still create a new web of trust and only use the
> > new key.  You do not have to "mess" around with the rsa module.  This
> > is an option, not a must.
> 
> But we decided that we do not -want- to create a new web of trust, it is
> too much work and totally unnecessary. The RSA patent expires in 11
> months, it is wastefull to throw everything away now.

I don't remember this being discussed on any list before. It doesn't hurt
to extend the web to an unencumbered keyspace, as long as it is done properly.

> Debian's position should pretty much summarised by the following items:
>   1) Use of PGP of any version is strongly discouraged, particularly PGP
>      2.x
>   2) Creation of new PGP2.x keys is strongly discouraged
>   3) The use of IDEA or any other patented algorithm for encrypted emails
>      is discouraged [largely unimportant, encryption stuff is minor]
>   4) Maintaing our web of trust is important. New keys should be
>      always be signed by older keys - where possible.
>   5) The continued use of PGP 2.x keys will be supported for the
>      forseeable future, however they are considered to be 'legacy' items.
>   6) New keys should not be created using ANY patented algorithms. No
>      new patented algorithms [public key, digest or symetric] will ever be
>      supported by Debian.
>   7) Signing new keys based on a signed email from the key holder is
>      strongly discouraged. Face-to-Face verification before any key
>      signature is strongly encouraged.
>   8) Participants of 'signing parties' are encouraged to use OpenPGP keys
>      (remember that a PGP 2.x key cannot be signed by an OpenPGP key
>       [AFIAK])
>   9) Cryptographic material [signatures, keys, rings, etc] should be in
>      OpenPGP format whenever possible.
> 
> That is the basic outline of the transition plan we have been discussing
> on and off for months.

I don't have a problem with 1-7, however a transition strategy away from
RSA type keys would be nice, as they continue to use the non-free gpg-rsa
package. Waiting until the patent expires seems like somewhat of a cop out.

8 and 9 I'd need to seek more information about.

> [Incidently if there is no big disagreement to the above 9 points I will
> make a posting to devel-announce with this as official word]

No, please allow a reasonable time for discussion.

        Martin.

Reply to:

Follow-Ups:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Jason Gunthorpe <jgg@ualberta.ca>

References:
- Re: Migrating to GPG - A mini-HOWTO
  - From: Jason Gunthorpe <jgg@ualberta.ca>

Prev by Date: Re: Cure segfaults on potato with recompiling
Next by Date: fetchmail dependencies
Previous by thread: Re: Migrating to GPG - A mini-HOWTO
Next by thread: Re: Migrating to GPG - A mini-HOWTO
Index(es):
- Date
- Thread