On Thu, Feb 27, 2014 at 01:18:58PM +0000, Ian Jackson wrote:
> Jonathan McDowell writes ("Re: State of the debian keyring"):
> > On Mon, Feb 24, 2014 at 05:53:58PM +0000, Ian Jackson wrote:
> > > Are we now at the stage where it is more important to retire these
> > > shortish keys, than to insist on this cross-signatures ?
> ...
> > I'd rather avoid this if possible, but it's something I'd be prepared to
> > consider for those who really can't manage to any another signature.
>
> So you have answered my question with "no".
Actually, that's not what he replied. You asked wether to chose between
Scylla and Charybdis, and Jonathan just replied that Charybdis wasn't a
really good option but would there be no other choice, in specific
situation, he'd be prepared to do that.
That's very different than “no”.
> In conclude that this
> weak keys problem is not all that urgent, in your opinion. I'll stop
> worrying about it too much.
*sighs*
Considering you already have a 2048R master key, sure, you can stop
worrying for now (I'm unsure why you chose not to directly have a 4096R
one, but eh). That won't actually stop me worrying for the rest of the
Debian keyring, because only one compromised key is enough, and
cryptography is really a field where you prefer to be safe than sorry.
Regards,
--
Yves-Alexis Perez
Attachment:
signature.asc
Description: Digital signature