[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moving to stronger keys than 1024D

On Sat, Oct 05, 2013 at 05:32:18PM +0200, Stefano Zacchiroli wrote:
> On Sat, Oct 05, 2013 at 08:17:48AM -0700, Jonathan McDowell wrote:
> > Now. If you have a 2048 bit or larger key that has been signed by at
> > least 2 other DDs but still have a 1024D key in our keyring you
> > should be filing a request for replacement.
> 
> I'm sorry, I realize only now I wasn't clear on this point.
> 
> I was talking about the WoT at large, not only the Debian keyring.
> I've indeed replaced my 1024D key wih my 4096R key in the Debian
> keyring a long time ago. What I haven't yet done is _revoking_ the old
> key.  Doing that now should have no bad effect on the Debian keyring,
> as any potentially "bad" effect there has already happened when I did
> the replacement.

If we assume that 1024D keys have questionable security then at some
point you stop trusting them entirely whether they're revoked or not. I
finally revoked my 1024D about a year ago and should really have done so
sooner.

> > The more useful question is how many of the signatures on your new
> > key come from strong keys, and how many strong keys have you signed
> > with that new key?
> 
> Right. If you happen to have a oneliner to verify that I'll be happy
> to answer these questions :)

I don't having anything to convenient answer that unfortunately.

J.

-- 
] http://www.earth.li/~noodles/ []   Aunt Em: Hate Kansas. Hate you.   [
]  PGP/GPG Key @ the.earth.li   []      Taking dog. Bye. Dorothy.      [
] via keyserver, web or email.  []                                     [
] RSA: 4096/2DA8B985            []                                     [
Reply to: