PGP key to use to contact the Security Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hello, I am finishing the French translation of the Securing Debian
Manual, and I noticed something about the key to use to contact the
Debian Security Team.
In the Securing Debian Manual, the key id to use to send an encrypted
email to the security team is 363CCD95, but on the following link,
it is F2E861A3 that is listed instead.
http://www.debian.org/security/faq.en.html#contact
http://pgpkeys.pca.dfn.de/pks/lookup?search=0xF2E861A3&op=vindex
http://pgpkeys.pca.dfn.de/pks/lookup?search=0x363CCD95&op=vindex
So far so good, but the old key seems to still be valid since it is
not revoked, and Google find many references to it while Google find
only one reference to F2E861A3, a key that is signed by only one person.
So here are my questions:
1. Do both keys are still valid?
2. If the key F2E861A3 is legitimate (which I think it is because
I have a trust path to it), wouldn't it makes sense to sign it with
the old key as well? Or alternatively by 3 members of the security
team instead of just one?
3. The key F2E861A3 claims to have been created on 2007-07-29 and is
set to expire on 2009-02-18. So could someone clarify what will
happens after it expire in six weeks? Will it be replaced by a new
key, or will the expiration date simply be changed?
3. If the old key 363CCD95 is not used anymore, is there any reasons
for not revoking it?
Thank you in advance for the clarifications,
Simon Valiquette
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Linux PPC)
iEYEAREDAAYFAklYwvkACgkQJPE+P+aMAJIXxACfZaIjWuqVFsakCdobInLVGqKm
OgoAmwcLp+cmGLJX7lyeVxnRKh28kMAQ
=+FqI
-----END PGP SIGNATURE-----
Reply to: