Le 05/03/2014 10:01, Didier 'OdyX' Raboud a écrit : > Le mercredi, 5 mars 2014, 10.47:07 Paul Wise a écrit : >> On Wed, Mar 5, 2014 at 1:55 AM, Xavier Roche wrote: >>> I have a rather silly question: would a mail (signed with this key) >>> request to the DDs who already signed the initial key (and checked >>> the identity) to sign the replacement key considered unreasonable ? >> Considering that the initial keys are now considered weak, I expect >> that it would be reasonable for people to not trust a key transition >> statement where the only available trust anchor is the old weak key. > > Well, the project currently considers these old keys to be trustworthy > enough to let the people who control them to upload any packages on the > archive (modulo these keys are in the uploading keyring). > > If we trust that the people behind the keys haven't changed, we should > let them use easy ways to stronger keys. On the other hand, if we think > the keys have been compromised, then we should really drop the upload > rights! > Hi, On the same line of thought, couldn't we manage something with videoconferencing tools, at least for key renewal? Just to check that the person I'm signing the new key resembles the one I met a couple of years ago. I'm quite sure I would still be able to identify most of the DDs whose key I signed. Kind regards, Thibaut.
Attachment:
signature.asc
Description: OpenPGP digital signature