[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: State of the debian keyring

On Sun, Feb 23, 2014 at 07:57:43AM +0000, Marco d'Itri wrote:
> gwolf@gwolf.org wrote:
> >So, what do you suggest?
> Persuade developers that they should sign the new key of people whose
> old key they have already signed, with no need to meet them in person.

I'm not sure what you're saying, but I think it's a bad idea.

What I would find acceptable is that if you generate an new key
you sign the same keys with the new key that you signed
previously with the old key.

I would also find it acceptable that the keyring maintainers
accept a signature from a single DD to replace the key, with that
single DD being the DD's old key.  If they old key doesn't get
revoked there is still a (weak) web of trust.  But I would like to
see a signature from at least one other person with a stronger key
that has a reasonable connection to the web of trust, preferably a
DD.  The more then better of course.

I see no good reason to sign new keys without meeting the person
to confirm that that is their new key.  You seem to suggest that
that is a good idea to keep the web of trust, but to me it seems
you just create a web of trust that isn't really there.  What we
need is a way to confirm that you're talking to the same person
you've met previously and confirm that that is his new key.


Reply to: