www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <rdon...@apache.org>
Subject Re: [OpenPGP] Moving Away From DSA and SHA-1
Date Wed, 12 Aug 2009 13:01:29 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

William A. Rowe, Jr. wrote:
> Jukka Zitting wrote:
>> Hi,
>>
>> On Tue, Aug 11, 2009 at 4:09 PM, Rich Bowen<rbowen@rcbowen.com> wrote:
>>> Is it possible to regenerate my gpg key without losing all the signatures on
>>> my existing key?
>> To bootstrap the new key, you could sign it with your old key.
>>
>> Not sure if that should be enough for others to trust that it came
>> from you even without a F2F keysigning party.

for the moment, yes

once 1024 bit keys become generally untrusted, no

this is the big advantage of a measure transition: having to purge your
only key when DSA is conclusively broken will be a PITA

> Signed with Ultimate trust, it should be enough.  You can have multiple
> private keys in place so enigmail and other programs will still decrypt
> all of your artifacts.  But you should have people sign the new key (and
> we can do so, trusting that you-were-you, and your new key has ultimate
> trust from the key we already signed).
> 
> E.g. my old key is still valid, not yet revoked, but used far too often for
> far too many artifacts.  So I rolled a 10 year (you might want it to be
> forever) master key, and just roll some one or two year encryption and
> signing keys to use for 'a while'.
> 
> The nice bit, people sign your master key.  You sign your subordinate
> keys for various purposes, creating new ones whenever you want.  So no
> more need to get new keys signed.

this is the setup i'm using ATM

- - robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKgr0pAAoJEHl6NpRAqILLQewP/jEaNbFJ3M9MjzSfKir0N1T/
qKLDPkO+tfU6tkq/ywr2j10QJkTm4G23AUMiEMHA0AMmg8mz0QhPb+WiuVxMm+9S
Sl0mgbhtn/ZOKd9SrctksDqThq3N03we+OtIkSJ5WJkjqxl8umkZhSaIyJWluFrs
a8JVLrmYLs4niUAtJ2o5QJZbWHrf5W0QRCtx5Kh7g/PtXuooNYNphh8OBty4N56y
mzv3QwmILlaoiMxwYW/UOBH4Jq7lzpIF+xC3Eqh8Pa+KXd2034nW/3lQnqi5aEbj
81iT3BYWrADIszurr2xvOnbDNrTxnhSCT1aXFFhAPpRBumrvvudtTOL2FHmLbqOu
36AztnlGIyAO+ho48AEybx1GuSLO/BkBaeiWTGrkEtv4gZiSvWwWooFjp/gbYpIJ
+gwWiBuUH3FBdAN7YAb7il4bH9L/Iip0hxWtDhq63FM6qlKgKoiDB/fG0h7Gl5M8
MFozOk8GBMF5sJJvmEfcqC691am5rHYO5KWYBuiEl2Bc9BJQC/rdwwggk2o8V9uP
n1bw4jwrwR9YsO9aLEHgNiCAh0xq1MD57HbeFNLstBy9HtQto8VAisHh6rF8qPYA
0+RwdnSBiKaJMiMPzOrts/XEC41CMb3FqLWHrMUp9Y8cY6qSaGrWFcZHLdsKireg
hL6yTDt0cgiSqUbi4JZm
=1Zsv
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message