[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: State of the debian keyring

On Sun, Feb 23, 2014 at 12:49:37PM -0300, Henrique de Moraes Holschuh wrote:
> On Sun, 23 Feb 2014, Jonathan McDowell wrote:
> >  * Requests need to include the full fingerprint of both the old and the
> >    new key. Not just the key IDs. Not just the new key. We want to be
> >    absolutely certain of what you're requesting replaced. I quite like
> >    seeing the actual "gpg --fingerprint" output for both keys because it
> >    tends to be quite easy to visually verify.
> > 
> >  * The new key must be signed by the old key that is being replaced.
> > 
> >  * The new key must be signed by 2 other keys that are present in the
> >    Debian keyring.
> > 
> >  * The request must be signed by the old key. Signing the request with
> >    the new key alone is not helpful - requests must always be signed by
> >    a key that is currently in the active keyring. Signing it with both
> >    is fine, but not required.
> > 
> >  * You should specify *why* you want to replace your key. Knowing that
> >    it's because you're moving to a stronger key rather than because your
> >    old key is compromised / unavailable / on fire helps us prioritise
> >    things.
> This is not what is written here:
> http://keyring.debian.org/replacing_keys.html
> Please update that page.  In particular, it *requires* a third party to
> request the key swap on your behalf.

Paragraph 2 on that page states:

| If key X is still valid then Alice may sign the request using that key,
| but must ensure key Y is signed by key X as well as at least 2 other
| active Debian developers whose keys are in the keyring.

What would you suggest as alternative wording which is clearer?


Replace repetitive expressions by calls to a common function.
This .sig brought to you by the letter M and the number 35
Product of the Republic of HuggieTag

Reply to: