| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LNX.2.00.1110050000380.31654@pobox.suse.cz> Date: Wed, 5 Oct 2011 00:02:16 +0200 (CEST) From: Jiri Kosina <jkosina@...e.cz> To: Heiko Carstens <heiko.carstens@...ibm.com> Cc: "H. Peter Anvin" <hpa@...or.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: kernel.org status: establishing a PGP web of trust On Tue, 4 Oct 2011, Heiko Carstens wrote: > > I have a question here. In case people are 'reasonably certain' that the > > old key has never been jeoparadized, why are they required to create a new > > key? > > > > (if the old key would have been compromised, the attacker could as well > > generate a new key and sign it with the old key himself, so I fail to see > > any benefit of this PGP excercise). > > > > It doesn't make too much sense to force people to live with two different > > personalities in this "PGP web of trust" world just for the sake of > > kernel.org, does it? > > Also same question here. And as far as I can tell nobody has given an > answer yet. In the meantime, at least one reason came up in parallel discussion ... a lot of people have those oldish keys generated as 1024bit or so, and using DSA. And it seems like 4096/RSA is sort of required here. -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists