* Lionel Elie Mamane: > Why can't we have a master key that signs the yearly keys? After all, > we have a long-term unique X.509 master key, so what's the difference > with OpenPGP?
End users are typically not exposed to the X.509 keys, which makes things a lot easier. By the way, if you've got a master key, you need to plan for key rollover, too. Why not apply that procedure directly to the keys used to sign the release files? A yearly key change just results in unnecessary administrative overhead for our users, without providing any real benefit to them. A key compromise still needs manual intervention. At the very least, if we have to keep that yearly key change for political reasons, please schedule it in a way that it doesn't happen in January. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
