Re: Notes from keyring-maint; end of the world not predicted
Jonathan McDowell nood...@earth.li writes: * Replacement of the old key with the new one should not cause any other key to no longer be in Debian's Web of Trust nor strongly connected subset. Is there a simple way of checking whether this is true for a given key? * Replacement of the old key with the new one should not cause a significant weakening of Debian's Web of Trust. I don't have exact figures for this at present, but it'll be based on the Betweenness Centrality and mean-minimum-distance calculations most probably. Is there a simple way of getting a metric of this for a given key? -- \ “Pinky, are you pondering what I'm pondering?” “I think so, | `\Brain, but if the plural of mouse is mice, wouldn't the plural | _o__) of spouse be spice?” —_Pinky and The Brain_ | Ben Finney pgpVjej0X5DVY.pgp Description: PGP signature
Re: Notes from keyring-maint; end of the world not predicted
On Wed, May 20, 2009 at 07:43:53PM +1000, Ben Finney wrote: Jonathan McDowell nood...@earth.li writes: * Replacement of the old key with the new one should not cause any other key to no longer be in Debian's Web of Trust nor strongly connected subset. Is there a simple way of checking whether this is true for a given key? * Replacement of the old key with the new one should not cause a significant weakening of Debian's Web of Trust. I don't have exact figures for this at present, but it'll be based on the Betweenness Centrality and mean-minimum-distance calculations most probably. Is there a simple way of getting a metric of this for a given key? The easiest way is probably to install the signing-party package and then use keyanalyze: rsync -az --progress keyring.debian.org::keyrings/keyrings/debian-keyring.gpg \ ./debian-keyring.gpg gpg --no-default-keyring --keyring ./debian-keyring.gpg \ --delete-key old-key gpg --no-default-keyring --keyring ./debian-keyring.gpg \ --import new-key pgpring -S -k debian-keyring.gpg | process_keys preprocess.keys keyanalyze and then you should have an output/ directory. status.txt has the reachable/strongly connected set sizes at the bottom. other.txt will show you the average MSD. Historic stats for the debian-keyring are at: http://keyring.debian.org/stats/ if you want to compare (2009-05-06 is what you'll get from the above rsync at present). cwot isn't currently packaged, it might possibly be a useful addition to signing-party. J. -- Don't hit the keys so hard, it hurts. signature.asc Description: Digital signature
Re: Notes from keyring-maint; end of the world not predicted
On onsdagen den 20 maj 2009, Jonathan McDowell wrote: My attitude to this is that yes, people should be considering replacing their existing GPG keys with something stronger using SHA256 or better for signatures (and a keysize of greater than 1024 bits). Hmm, would that mean gpg --enable-dsa2 --cert-digest-algo SHA256 or something? Also, does gpg have an option to make it output the hash algorithms of key (ID) signatures? I can't seem to find one. -- Magnus Holmgrenholmg...@debian.org Debian Developer signature.asc Description: This is a digitally signed message part.
Re: Notes from keyring-maint; end of the world not predicted
On Wed, May 20, 2009 at 08:50:09PM +0200, Magnus Holmgren wrote: Hmm, would that mean gpg --enable-dsa2 --cert-digest-algo SHA256 or something? Also, does gpg have an option to make it output the hash algorithms of key (ID) signatures? I can't seem to find one. Feed a key to gpg --list-packets and look at the digest algo numbers on the signatures. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org