On Sun, Feb 23, 2014 at 07:57:43AM +0000, Marco d'Itri wrote: > gw...@gwolf.org wrote: > > >So, what do you suggest? > Persuade developers that they should sign the new key of people whose > old key they have already signed, with no need to meet them in person.
I'm not sure what you're saying, but I think it's a bad idea. What I would find acceptable is that if you generate an new key you sign the same keys with the new key that you signed previously with the old key. I would also find it acceptable that the keyring maintainers accept a signature from a single DD to replace the key, with that single DD being the DD's old key. If they old key doesn't get revoked there is still a (weak) web of trust. But I would like to see a signature from at least one other person with a stronger key that has a reasonable connection to the web of trust, preferably a DD. The more then better of course. I see no good reason to sign new keys without meeting the person to confirm that that is their new key. You seem to suggest that that is a good idea to keep the web of trust, but to me it seems you just create a web of trust that isn't really there. What we need is a way to confirm that you're talking to the same person you've met previously and confirm that that is his new key. Kurt -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223112858.ga13...@roeckx.be
