Re: kernel.org status: establishing a PGP web of trust

[Jiri Kosina]

On Tue, 4 Oct 2011, Heiko Carstens wrote:

> > I have a question here. In case people are 'reasonably certain' that the 
> > old key has never been jeoparadized, why are they required to create a new 
> > key?
> > 
> > (if the old key would have been compromised, the attacker could as well 
> > generate a new key and sign it with the old key himself, so I fail to see 
> > any benefit of this PGP excercise).
> > 
> > It doesn't make too much sense to force people to live with two different 
> > personalities in this "PGP web of trust" world just for the sake of 
> > kernel.org, does it?
> 
> Also same question here. And as far as I can tell nobody has given an
> answer yet.

In the meantime, at least one reason came up in parallel discussion ... a 
lot of people have those oldish keys generated as 1024bit or so, and using 
DSA.

And it seems like 4096/RSA is sort of required here.

-- 
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/