Re: kernel.org status: establishing a PGP web of trust

[Jiri Kosina]

On Fri, 30 Sep 2011, H. Peter Anvin wrote:

> Since the kernel.org status announcement last week a number of you
> have contacted me about re-establishing credentials.  In order to
> establish a proper PGP web of trust we need keys that are cross-signed
> by other developers.  As such, we ask that you follow the following
> steps:
> 
> 1. Make sure your systems are uncompromised.  We will address specific
>    recommended steps for that in a separate email.
> 
> 2. Create a new PGP/GPG key, and also generate a key revocation
>    certificate (but don't import it anywhere -- save it for the
>    future) for your new key.  In the near future we are considering
>    setting up an escrow service for key revocation certificates.
> 
>    I recommend using a 4096-bit RSA key.  Given how fast computers are
>    these days, there is no reason to use a shorter key.  DSA keys
>    should be considered obsolete; substantial weaknesses have been
>    found in DSA.
> 
>    $ gpg --gen-key
>    $ gpg -u <key ID> -o <key ID>.revoke --gen-revoke
> 
> 3. If you are reasonably certain that your old key has never been
>    jeopardized, sign the new key with the old key.

I have a question here. In case people are 'reasonably certain' that the 
old key has never been jeoparadized, why are they required to create a new 
key?

(if the old key would have been compromised, the attacker could as well 
generate a new key and sign it with the old key himself, so I fail to see 
any benefit of this PGP excercise).

It doesn't make too much sense to force people to live with two different 
personalities in this "PGP web of trust" world just for the sake of 
kernel.org, does it?

Thanks,

-- 
Jiri Kosina
SUSE Labs

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/