Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Le mercredi, 5 mars 2014, 10.47:07 Paul Wise a écrit :
> On Wed, Mar 5, 2014 at 1:55 AM, Xavier Roche wrote:
> > I have a rather silly question: would a mail (signed with this key)
> > request to the DDs who already signed the initial key (and checked
> > the identity) to sign the replacement key considered unreasonable ?
> Considering that the initial keys are now considered weak, I expect
> that it would be reasonable for people to not trust a key transition
> statement where the only available trust anchor is the old weak key.
Well, the project currently considers these old keys to be trustworthy
enough to let the people who control them to upload any packages on the
archive (modulo these keys are in the uploading keyring).
If we trust that the people behind the keys haven't changed, we should
let them use easy ways to stronger keys. On the other hand, if we think
the keys have been compromised, then we should really drop the upload
rights!
Cheers,
OdyX
Reply to: