Best Practices

Daniel Kahn Gillmor dkg at
Mon Dec 13 22:40:56 CET 2010

On 12/13/2010 01:13 PM, David Shaw wrote:
> Why is it that using the method you advocate, there is a graceful
> changeover between fingerprint formats, but a change in the
> certificate format requires a "hard cut-over" with "global
> interruption of existing networks..." ?

I was assuming that new certificates come with new keys, and that new
keys could not certify or be certified by existing (old) certificates.

Are v3 keys able to certify or be certified by v4 certificates?

> I suspect a changeover would take somewhere between 5 and 10 years,
> just as the v3->v4 changeover did.

That sounds like what i would expect as well.

> It is premature to try and force a particular format into the
> design before we even have a SHA-3 to talk about.

i agree.  That's why i've been proposing that people transition to new
algorithms without trying to wait for a format change that is likely to
take years to even begin, plus many more years to complete.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101213/7e7fb1cd/attachment.pgp>

More information about the Gnupg-users mailing list