-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I'm a DD living in Galway, with one of those old 1024-bit keys. So I need to meet up and get a new key signed by multiple DDs. As it happens I'm in Dublin a bit for work, such as on Friday, at Grand Canal Docks, not far from Google, etc. Anybody available to meet and sign a key? I'm working at ICHEC, the Irish Centre for High-End Computing, and NUI Galway. regards Alastair - -------- Original Message -------- Subject: Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key! Resent-Date: Wed, 5 Mar 2014 14:06:14 +0000 (UTC) Resent-From: debian-devel@lists.debian.org Date: Wed, 05 Mar 2014 09:05:33 -0500 From: Jeremy T. Bouse <jbouse@debian.org> Organisation: Debian Project To: <debian-devel@lists.debian.org> On 05.03.2014 04:01, Didier 'OdyX' Raboud wrote: > Le mercredi, 5 mars 2014, 10.47:07 Paul Wise a écrit : >> On Wed, Mar 5, 2014 at 1:55 AM, Xavier Roche wrote: >> > I have a rather silly question: would a mail (signed with this >> key) >> > request to the DDs who already signed the initial key (and checked >> > the identity) to sign the replacement key considered unreasonable >> ? >> Considering that the initial keys are now considered weak, I expect >> that it would be reasonable for people to not trust a key transition >> statement where the only available trust anchor is the old weak key. > > Well, the project currently considers these old keys to be > trustworthy > enough to let the people who control them to upload any packages on > the > archive (modulo these keys are in the uploading keyring). > > If we trust that the people behind the keys haven't changed, we > should > let them use easy ways to stronger keys. On the other hand, if we > think > the keys have been compromised, then we should really drop the upload > rights! > > Cheers, > OdyX I would tend to side more with Odyx here in that the keys are still considered trustworthy enough to be in the keyring but we're encouraging moving to stronger keys and no longer accepting these keys to be included. The subject of compromise is a totally different situation than this and would obviously need to be handled differently as you should no longer trust the key entirely and should be removed. I started the move to the high bit RSA key because of deciding to make the move to using the OpenPGP smartcard which only supported RSA and not DSA. This was not because I have any reason to believe my key was compromised or that I had lost the private key data. Given the lengths I go to verify identity, control of private key data and the email addresses listed in the UID of the key, I might consider an encrypted challenge requesting signing a new replacement key provided the assurance that the original key had not been compromised and the keys were cross-signed. Though it is something I would most likely take on a case by case basis. - -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: https://lists.debian.org/b5138e433b5218bb143b9cfa191db0af@undergrid.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTF044AAoJEN9LdrZRJ3QsxQ0QAImH9WbRZEGZi1hHIESsIePe x6WgFEZIximTqYDfaXeugVoDq93vjGbiv55igvCi0tCAycc9gDqRr412F9PmEzWl YFnFK9dc9Hf3aFqd4A29GyUoWRPYLCdCeGzawj1NA2UjG4Hhg262whyXiHAwmyoG wSRuOAnDD7JgSfs+9Z+KBgQpi78MtiGapaBSh0hy7gG1DygHyAaF02Co0szCyBJ7 oiIt1dVxMc8krDnieRSMPub4rlzzLxE9fyzWivLJLw0oq2V1fBBAH9KAHe9pyld1 xKhLtqjF5LrWZkqIJzpGEpW2Kxox6w31FrgmKs61sz0IUnygEBXNu0xdayBGh3Qh drZSL+LcBCSDLLDcdL9g+eMGMo/lV0aadWUfh3fG9+Gx8SjqGwxfv/LNRMqjSCnF RiFdWJpLjwVi/TOAXOCYASRleYjmfJosHOIK55mlo1Jfcj1+QTiXnb2O9Q8kPZKf VfNuVFOv0j3kUL624VYpIyZlgyBA04GBJ4eBxZLzDFAxk2Mc7Mmk89KjrReiAHt4 xw51lvpP769QTUXpbULLNKJd8TTDt50Lu5Vdp5UYfQasoaL8Auw4cPOOfWzv0J2J p3ChzB6DdxzDaG5MnZ8Eb4Xe5WH6lA6/A+l10ai4z/GUcA3/qfthiJ42NTPVQ0S1 Qpxzi7iTeopgI7333TkF =/TWL -----END PGP SIGNATURE----- |