Judit Foglszinger <ur...@riseup.net> writes: > Hi, > >> > Dmitri, could you re-run the numbers with the debian-maintainer keyring? >> >> That is correct. I have updated the results now. >> The 2,455 no public key has now become 1,238 > > Another is the DN keyring. > Also I'd expect many keys to be found in older versions of the keyring > package/keyring repository > and on keyservers like keyserver.ubuntu.com
Removing old keys is usually a bad idea -- could these be moved to a "archived" keyring instead? I assume having them in the "live" keyring is not possible if the presence of a key in that file is used to make authorization decisions. You want to be able to verify old signatures in 20+ years too, and then you need to be able to find the corresponding public key. Even finding a copy of my own old RSA1280 key 0xB565716F turned out to be tricky, I had to search for it just a couple of days ago and I couldn't find it on the keyservers I looked on. The key was used during 2002-2014 to sign a lot of software releases (and emails). Fortunately, I had a habbit of sticking it into AUTHORS field of some packages so I found it here: https://git.savannah.gnu.org/cgit/libidn.git/tree/AUTHORS?id=cd51d7cd4e83f8b5240517b63ba2adef721542c9 /Simon
signature.asc
Description: PGP signature