On Sat, Oct 05, 2013 at 12:41:41AM -0500, Gunnar Wolf wrote: > Yes, our WoT has naturally weakened due to bitrot > (i.e. cross-signatures made with keys which are later retired might > have created WoT islands), but we do have at least identity > assurance history. So, I've a question about this and I'm looking for best practices in the area. I've migrated to a 4096R key in 2010, but I haven't yet revoked my old 1024D key. My initial, maybe naive, idea was to wait for the new key to be "as well connected" in the WoT as the old one before retiring the latter. 3 years into that, is not very clear to me that this is not gonna happen any time soon: even though I've been traveling a lot over the past 3 years and met a lot of Free Software people, the MSD ranking of my new key is ~180 whereas the old one is ~62. Given I've collected many signatures on the new key, the reason is likely that the migration of many people (and possibly the fact that some other very well connected people haven't migrated?) is making the WoT much more scattered than what it was ~13 years ago, when I started using my former key. What worries me is that by revoking my old key I'll make the situation for the WoT worse. Given the current state and evolution trends of WoT, is it actually the case, as Gunnar hints at above, or not? OTOH by not retiring my old 1024D key I feel increasingly more irresponsible, as impersonating me via the old key (and possibly sign other keys with it...) is becoming increasingly easier. Oh mighty Debian keyring maintainers and WoT gurus, what do you suggest to do in this respect? When is the right moment to retire old keys after migration to stronger ones? TIA, Cheers. -- Stefano Zacchiroli . . . . . . . zack@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club »
Attachment:
signature.asc
Description: Digital signature