On 2014-10-06, sebb wrote: > On 6 October 2014 08:16, Stefan Bodewig <bode...@apache.org> wrote:
>>> Just a note on the GPG key, it might be a good idea to upgrade to a >>> stronger one. 1024 bits keys are discouraged nowadays. >>> http://www.apache.org/dev/release-signing >> I know, but leaving behind a key that has accumulated signatures over >> more than ten years is hard ... > I assume that the people who signed your key trust that it is still yours. > If you use it to sign your new key, is that not sufficient? Right, at least in a way. If I created a new key and signed it with the old one the WOT would still be there in a transitive way. But a direct signature conveys more trust (in a GnuPG sense of trust) than a transitive one along the graph. Creating a new key is somewhere down my todo list but I shy away from the hassle of asking all people who signed the old key to also sign the new one so the new one won't be worth less. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
