[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moving to stronger keys than 1024D

On Sat, Oct 05, 2013 at 10:37:40AM +0200, Stefano Zacchiroli wrote:
> What worries me is that by revoking my old key I'll make the situation
> for the WoT worse. Given the current state and evolution trends of WoT,
> is it actually the case, as Gunnar hints at above, or not?
> OTOH by not retiring my old 1024D key I feel increasingly more
> irresponsible, as impersonating me via the old key (and possibly sign
> other keys with it...) is becoming increasingly easier.
> Oh mighty Debian keyring maintainers and WoT gurus, what do you suggest
> to do in this respect? When is the right moment to retire old keys after
> migration to stronger ones?

Now. If you have a 2048 bit or larger key that has been signed by at
least 2 other DDs but still have a 1024D key in our keyring you should
be filing a request for replacement.

When we first started requiring larger keys for new DDs/replacements it
was felt that we didn't want to risk our WoT and could take things
gradually. I think we're at the point where we should be proactively
moving to larger keys now. Your older key might be well linked and have
a low MSD, but that includes all of the 1024D keys we're trying to move
away from. The more useful question is how many of the signatures on
your new key come from strong keys, and how many strong keys have you
signed with that new key?


] http://www.earth.li/~noodles/ []   Mistakes aren't always regrets.   [
]  PGP/GPG Key @ the.earth.li   []                                     [
] via keyserver, web or email.  []                                     [
] RSA: 4096/2DA8B985            []                                     [

Attachment: signature.asc
Description: Digital signature

Reply to: