Key Transition Statements: Worthless?
Posted: Sun, 22 June 2014 | permalink | 3 Comments
Ten days ago, I blogged about (finally) generating a GPG key transition statement. As the title of this post suggests, I have received zero signatures. Have other people had any success with transition statements? Perhaps it’s time to hit up Debian developers I know one-by-one…
To the IRCz!
From: Gunnar Wolf
Humm… I am not a fan of key transition statements. They do serve a purpose: They inform your friends you actually did migrate away from a key to a new one they don’t trust yet. But as a keyring-maint, I have yet to see them being useful for keys re-signing. I have seen very little impact on that regard.
I directly emailed a key transition statement to everyone who had signed my old key and got no signatures in return. A year later, I sent it again as a reminder (as I was then actually rolling over the key) and got precisely 1 signature in return. I’m not sure if people actively dislike them and so don’t touch them or if they are scared of them because they don’t know whether to trust them or not.
From: Martin Gollowitzer
I had a key transition last year and sent an e-mail to everbody who had signed my old key. I didn’t check the numbers, but from what I saw on my new key, the turnover was probably 10% or less.
Post a comment
All comments are held for moderation; markdown formatting accepted.