On Sat, Oct 05, 2013 at 10:37:40AM +0200, Stefano Zacchiroli wrote: > What worries me is that by revoking my old key I'll make the situation > for the WoT worse. Given the current state and evolution trends of WoT, > is it actually the case, as Gunnar hints at above, or not? > > OTOH by not retiring my old 1024D key I feel increasingly more > irresponsible, as impersonating me via the old key (and possibly sign > other keys with it...) is becoming increasingly easier. > > Oh mighty Debian keyring maintainers and WoT gurus, what do you suggest > to do in this respect? When is the right moment to retire old keys after > migration to stronger ones?
Now. If you have a 2048 bit or larger key that has been signed by at least 2 other DDs but still have a 1024D key in our keyring you should be filing a request for replacement. When we first started requiring larger keys for new DDs/replacements it was felt that we didn't want to risk our WoT and could take things gradually. I think we're at the point where we should be proactively moving to larger keys now. Your older key might be well linked and have a low MSD, but that includes all of the 1024D keys we're trying to move away from. The more useful question is how many of the signatures on your new key come from strong keys, and how many strong keys have you signed with that new key? J. -- ] http://www.earth.li/~noodles/ [] Mistakes aren't always regrets. [ ] PGP/GPG Key @ the.earth.li [] [ ] via keyserver, web or email. [] [ ] RSA: 4096/2DA8B985 [] [
signature.asc
Description: Digital signature
