On Mon, 12 Jan 2026 00:26, Steve Sawczyn said: > migrating to newer keys, all those old signatures were lost. To be > fair, I’m sure that most of those signatures could no longer be
That's right and shows tha the WebofTrust does not really work to its full extend in real life. The reasons why old PGP 2 keys can't be used anymore are: - GnuPG 2.x dropped almost all support for those v3 (and v2) keys. - GnuPG does not anymore support the really broken MD5 hash algorithm - Some people fear collission attacks on SHA-1 keys and thus by default SHA-1 key signatures, as done for may years, are now not anymore usable. Note that gpg 1.4 is still available to decrypt old encrypted data. > change again and people will need to generate new keys? What about > key expiration, wouldn’t that cause a person to essentially have to > start over with gathering signatures for new keys, or otherwise It is possible and suggested to prolong the expiration time of a key. However, some folks used a signature expiration time when doing their 3rd party key signatures; this can only be solved by issuing a new key signature. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
