[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

PGP Keys

From: Ben Reser <ben_at_reser.org>
Date: Fri, 5 Oct 2012 15:10:41 -0700

Given that we're coming up on a couple of opportunities for various
developers to get together an potentially sign keys I thought I'd
bring this subject up.

1) SHA-1 based keys should be migrated off of. The US Government's
requirement of agencies was to stop using SHA-1 by the end of 2010.
We're nearly 2 years past that date and there are actually several
people still signing releases with such keys. In particular if you're
still using a 1024 DSA key that means you. You can check by looking
at your looking at how GPG represents your key, if it says 1024D then
you need to replace that key. Details on a sane way of migrating keys
can details about the situation can be found on this blog:
http://www.debian-administration.org/users/dkg/weblog/48

If you have any questions about this I'll do my best to answer them.

2) There is going to be 2 opportunities in the coming months when
several of us are together that it may be useful to carry out a key
signing party.

  a) Greenwich, Connecticut USA October 13th - 15th at the
mini-hackathon before SVN Live.
  b) Sinsheim, Germany November 5th - 8th at ApacheCon EU 2012.

I plan on organizing key signing at both events if there is sufficient
people interested and there will be keys that need signing. Given the
issue the SHA-1 issue described above and the key signing party
options. Now might be a excellent time to generate a new key,
especially if you're planning on attending one of those events.

If you're interested in participating in something like that at one of
those locations, please reply and indicate which location(s) you'll be
available to attend and the dates you'll be available (since some
people may not be available the whole time). Based on this
information I'll try to coordinate something that hits the maximum
number of people and generates the biggest web of trust.

This is not just an opportunity for developers to sign each others
keys but also an opportunity for some of our users to sign our keys
and potentially enhance their trust of our signatures. So feel free
to pass this information along to anyone that's interested.

I'd like to plan the details for the Greenwich, Connecticut
opportunity no later than Tuesday October 8th, so please reply ASAP if
you're interested in that. I'll post more details once I've figured
them out.
Received on 2012-10-06 00:11:35 CEST

This is an archived mail posted to the Subversion Dev mailing list.