[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PGP Keys

From: Ben Reser <ben_at_reser.org>
Date: Tue, 23 Oct 2012 04:45:46 -0500

On Fri, Oct 5, 2012 at 5:10 PM, Ben Reser <ben_at_reser.org> wrote:
> Given that we're coming up on a couple of opportunities for various
> developers to get together an potentially sign keys I thought I'd
> bring this subject up.
>
> 1) SHA-1 based keys should be migrated off of. The US Government's
> requirement of agencies was to stop using SHA-1 by the end of 2010.
> We're nearly 2 years past that date and there are actually several
> people still signing releases with such keys. In particular if you're
> still using a 1024 DSA key that means you. You can check by looking
> at your looking at how GPG represents your key, if it says 1024D then
> you need to replace that key. Details on a sane way of migrating keys
> can details about the situation can be found on this blog:
> http://www.debian-administration.org/users/dkg/weblog/48
>
> If you have any questions about this I'll do my best to answer them.
>
> 2) There is going to be 2 opportunities in the coming months when
> several of us are together that it may be useful to carry out a key
> signing party.
>
> a) Greenwich, Connecticut USA October 13th - 15th at the
> mini-hackathon before SVN Live.
> b) Sinsheim, Germany November 5th - 8th at ApacheCon EU 2012.
>
> I plan on organizing key signing at both events if there is sufficient
> people interested and there will be keys that need signing. Given the
> issue the SHA-1 issue described above and the key signing party
> options. Now might be a excellent time to generate a new key,
> especially if you're planning on attending one of those events.
>
> If you're interested in participating in something like that at one of
> those locations, please reply and indicate which location(s) you'll be
> available to attend and the dates you'll be available (since some
> people may not be available the whole time). Based on this
> information I'll try to coordinate something that hits the maximum
> number of people and generates the biggest web of trust.
>
> This is not just an opportunity for developers to sign each others
> keys but also an opportunity for some of our users to sign our keys
> and potentially enhance their trust of our signatures. So feel free
> to pass this information along to anyone that's interested.
>
> I'd like to plan the details for the Greenwich, Connecticut
> opportunity no later than Tuesday October 8th, so please reply ASAP if
> you're interested in that. I'll post more details once I've figured
> them out.

I neglected to do this in Greenwich. Everyone that's said anything
about doing this is also here in London plus quite a few other people.
 So I'll try to put something together during the first session today
which is about Hook Scripts and I doubt is very interesting to any of
us.
Received on 2012-10-23 11:46:34 CEST

This is an archived mail posted to the Subversion Dev mailing list.