[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moving to stronger keys than 1024D

On Sat, Oct 05, 2013 at 12:41:41AM -0500, Gunnar Wolf wrote:
>   Yes, our WoT has naturally weakened due to bitrot
>   (i.e. cross-signatures made with keys which are later retired might
>   have created WoT islands), but we do have at least identity
>   assurance history.

So, I've a question about this and I'm looking for best practices in the
area. I've migrated to a 4096R key in 2010, but I haven't yet revoked my
old 1024D key. My initial, maybe naive, idea was to wait for the new key
to be "as well connected" in the WoT as the old one before retiring the
latter. 3 years into that, is not very clear to me that this is not
gonna happen any time soon: even though I've been traveling a lot over
the past 3 years and met a lot of Free Software people, the MSD ranking
of my new key is ~180 whereas the old one is ~62. Given I've collected
many signatures on the new key, the reason is likely that the migration
of many people (and possibly the fact that some other very well
connected people haven't migrated?) is making the WoT much more
scattered than what it was ~13 years ago, when I started using my former

What worries me is that by revoking my old key I'll make the situation
for the WoT worse. Given the current state and evolution trends of WoT,
is it actually the case, as Gunnar hints at above, or not?

OTOH by not retiring my old 1024D key I feel increasingly more
irresponsible, as impersonating me via the old key (and possibly sign
other keys with it...) is becoming increasingly easier.

Oh mighty Debian keyring maintainers and WoT gurus, what do you suggest
to do in this respect? When is the right moment to retire old keys after
migration to stronger ones?

Stefano Zacchiroli  . . . . . . .  zack@upsilon.cc . . . . o . . . o . o
Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o
Former Debian Project Leader  . . @zack on identi.ca . . o o o . . . o .
« the first rule of tautology club is the first rule of tautology club »

Attachment: signature.asc
Description: Digital signature

Reply to: