On Thu, Jun 11, 2009 at 07:43:24PM +0200, martin f krafft wrote: > also sprach Moray Allan <[email protected]> [2009.06.11.1932 +0200]: > > I'd go for the opposite view: if you've made a new key, that's a great > > opportunity to strengthen the web of trust by not taking part in mass > > keysignings. > > +1
There's a tradeoff here. Ideally if you've generated a new key you'll get absolutely everyone you *know* who also uses OpenPGP to cross sign with you. DebConf is an ideal place to do so with people you might not normally see. Keysignings are a good way to get a lot of users together and cross sign, rather than each individual being bothered by everyone else at random points. For groups that know each other well such as LUGs they're a great idea. However mass keysignings with the number of people involved in DebConf simply don't encourage good signing practice. I don't know how we solve that. I've seen the splitting things up into smaller groups approach, but I'm not convinced about that either. Maybe we we need is a "registry" of people who are happy to cross sign and who can be expected to have ID/fingerprints on them for much of the conference and then people can exchange details as part of other interactions? Whatever happens I am of the opinion that if you're sitting around with a 1024 bit key with SHA-1 preferences then you want to be generating a new (larger) one before DebConf so you can start getting it integrated into the WoT. J. -- /-\ | 101 things you can't have too much |@/ Debian GNU/Linux Developer | of : 29 - T-shirts. \- | _______________________________________________ Debconf-discuss mailing list [email protected] http://lists.debconf.org/mailman/listinfo/debconf-discuss
