Jonathan McDowell wrote:
If you have signed someones old key is it considered "responsible" to sign their new key based on a transition statement signed by the old key? or is a new face-to-face meeting required? I've seen plenty of (sometimes conflicting) advice on signing keys of a person you have never signed keys for before but not much on the transition situation. (note: this is a general question to consider, I'm not personally in a position where it would apply)I would ask that DDs make some effort to help those with weak keys get their new, stronger keys signed. Please sign responsibly[4],
My understanding is that the NSA and similar organisations can probablly crack 1024 bit keys but the cost of doing so (assuming there hasn't been some secret mathematical breakthrough) is likely sufficiently high that it would be cheaper to infiltrate debian the old-fasioned way (false passports, putting agents through the NM process etc). Is that understanding correct?