Re: State of the debian keyring
On Sun, Feb 23, 2014 at 07:57:43AM +0000, Marco d'Itri wrote:
> firstname.lastname@example.org wrote:
> >So, what do you suggest?
> Persuade developers that they should sign the new key of people whose
> old key they have already signed, with no need to meet them in person.
I'm not sure what you're saying, but I think it's a bad idea.
What I would find acceptable is that if you generate an new key
you sign the same keys with the new key that you signed
previously with the old key.
I would also find it acceptable that the keyring maintainers
accept a signature from a single DD to replace the key, with that
single DD being the DD's old key. If they old key doesn't get
revoked there is still a (weak) web of trust. But I would like to
see a signature from at least one other person with a stronger key
that has a reasonable connection to the web of trust, preferably a
DD. The more then better of course.
I see no good reason to sign new keys without meeting the person
to confirm that that is their new key. You seem to suggest that
that is a good idea to keep the web of trust, but to me it seems
you just create a web of trust that isn't really there. What we
need is a way to confirm that you're talking to the same person
you've met previously and confirm that that is his new key.