Key Transition Statements: Worthless?

Posted: Sun, 22 June 2014 | permalink | 3 Comments

Ten days ago, I blogged about (finally) generating a GPG key transition statement. As the title of this post suggests, I have received zero signatures. Have other people had any success with transition statements? Perhaps it’s time to hit up Debian developers I know one-by-one…

To the IRCz!

3 Comments

From: Gunnar Wolf
2014-06-22 17:48

Humm… I am not a fan of key transition statements. They do serve a purpose: They inform your friends you actually did migrate away from a key to a new one they don’t trust yet. But as a keyring-maint, I have yet to see them being useful for keys re-signing. I have seen very little impact on that regard.

From: Stuart
2014-06-22 18:18

I directly emailed a key transition statement to everyone who had signed my old key and got no signatures in return. A year later, I sent it again as a reminder (as I was then actually rolling over the key) and got precisely 1 signature in return. I’m not sure if people actively dislike them and so don’t touch them or if they are scared of them because they don’t know whether to trust them or not.

From: Martin Gollowitzer
2014-06-23 21:05

I had a key transition last year and sent an e-mail to everbody who had signed my old key. I didn’t check the numbers, but from what I saw on my new key, the turnover was probably 10% or less.

HTH!

Post a comment

All comments are held for moderation; markdown formatting accepted.

This is a honeypot form. Do not use this form unless you want to get your IP address blacklisted. Use the second form below for comments.
Name: (required)
E-mail: (required, not published)
Website: (optional)
Name: (required)
E-mail: (required, not published)
Website: (optional)
 
« GPG key transition
Moving forward with an SSL Co-op »