[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: State of the debian keyring

On Thu, Feb 27, 2014 at 01:18:58PM +0000, Ian Jackson wrote:
> Jonathan McDowell writes ("Re: State of the debian keyring"):
> > On Mon, Feb 24, 2014 at 05:53:58PM +0000, Ian Jackson wrote:
> > > Are we now at the stage where it is more important to retire these
> > > shortish keys, than to insist on this cross-signatures ?
> ...
> > I'd rather avoid this if possible, but it's something I'd be prepared to
> > consider for those who really can't manage to any another signature.
> So you have answered my question with "no".

Actually, that's not what he replied. You asked wether to chose between
Scylla and Charybdis, and Jonathan just replied that Charybdis wasn't a
really good option but would there be no other choice, in specific
situation, he'd be prepared to do that.

That's very different than “no”.

> In conclude that this
> weak keys problem is not all that urgent, in your opinion.  I'll stop
> worrying about it too much.


Considering you already have a 2048R master key, sure, you can stop
worrying for now (I'm unsure why you chose not to directly have a 4096R
one, but eh). That won't actually stop me worrying for the rest of the
Debian keyring, because only one compromised key is enough, and
cryptography is really a field where you prefer to be safe than sorry.

Yves-Alexis Perez

Attachment: signature.asc
Description: Digital signature

Reply to: