Re: Add djbw@kernel.org to 1ED2916A667D8802.asc

["Uwe Kleine-König" <u.kleine-koenig@baylibre.com>]

[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]

Hallo Dan,

On Wed, Apr 08, 2026 at 06:49:33PM -0700, Dan Williams wrote:
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> 
> mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu
> waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn
> 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+
> ...
> -----END PGP PUBLIC KEY BLOCK-----

The two UIDs that are already tracked in the pgpkeys repo are only
protected by SHA1, and also the key binding is affected. GnuPG has no
issues with that, but other tools (e.g. Sequioa) take this more serious.
(See e.g. https://www.schneier.com/tag/sha-1/ for more details. And
https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/
for how to fix that.)

While you can address this yourself, your key has several signatures
protected by SHA1, which is somewhat the same issue, but you'd need the
cooperation of the guys who signed your key before, to fix that. The
easiest way to do that is to ask them to resign your certificate.
In return you can offer to resign their certs as there are several
SHA1-protected signatures by you on other keys. See
https://www.kleine-koenig.org/~uwe/resign-sha1/?certid=1ED2916A667D8802
for the "todo list".

Don't hesitate to ask if questions arise.

From my side this doesn't need to stop adding your updated cert to the
pgpkeys repo, as it doesn't make things worse than they already are.

Best regards
Uwe

PS: While it's not uniformly well recieved in the kernel community, the
people more involved with PGP crypto also recommend an expiry date on
certificates to enforce to a certain degree that users of your
certificate notice changes to your key.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]