[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I am still on the keyring. With my old key.

[Anand Kumria]
> 			- require the developer to generate a new key
> 			- require the developer to have _at least_ N
> 			  number of other, existing developers sign
> 			  their key
> 			- once the developer submits their new key,
> 			  the keyring-maint can select M of the N
> 			  signatures from existing developers and ask
> 			  them to further assure keyring-maint that the
> 			  developer in question is who they say they
> 			  are.
> 			- once that check passes, update the keyring.
> 		    I would suggest that M be 2 and N be 3.

In the 8 years I've been using Debian, I've met, in real life, exactly
one developer (and I think 2 former developers).  At that rate, were I
a developer and needed to revoke/reissue a gpg key, it would take
approximately 24 years to accumulate enough signatures to do so.

So N=3 sounds high, to me.  OTOH, complaints about the keyring
maintainer being slow would probably go away, since a 2-month
turnaround time is pretty negligible compared to 24 years.

(My point isn't really the 24 years, it's that some of us aren't
geographically situated to get 3 developer signatures as quickly as
you probably think.)

Attachment: signature.asc
Description: Digital signature

Reply to: