I'm curious what the gpg/pgp users' consensus (if there is one) is on signing new keys. I realize that key signing is generally based upon personal policy, but that is typically informed by consensus IMO.
Suppose in 2005 Kate gets her key signed by Sam at an overseas keysigning party. Kate's key has an expiration date of 2015. In 2009 it becomes clear that she needs to refresh her key in order to move to the new digest algorithm. So, she generates a new key, expiration 2019, and signs it with her old key. She then sends the new key to Sam, who she will probably not meet again in person any time soon, and asks him to sign the new key and send the signature back to her. Is this bad form? Should Sam sign the new key, based upon the trusted signature from Kate's old key, even though he is not meeting Kate and re-checking her ID and fingerprint? Or, should he insist on an in-person meeting (or some other form of authentication) ? Jim Anthony Carrico wrote: > As Sam pointed out earlier this year, it is time to update your OpenPGP > keys. The community consensus is that now is the time to move to a > stronger digest algorithm. If you don't have any keys, now is a great > time to start. > > Today I want everyone to go to the command line and check to see if you > have GnuPG installed: > > $ gpg --version > > If not please install it. For Debian based distros type: > > $ sudo apt-get update > $ sudo apt-get install gnupg gnupg-doc > > Please chime in with questions, or instructions for other distributions > (in particular Windows, if anyone has experience). > > Sometime in the next few months we'll have a key signing party, so > follow along and get your new key ready. >
