Questions about web of trust, new keys, and whether it's even a thing any more

[Werner Koch]

On Mon, 12 Jan 2026 00:26, Steve Sawczyn said:

> migrating to newer keys, all those old signatures were lost.  To be
> fair, I’m sure that most of those signatures could no longer be

That's right and shows tha the WebofTrust does not really work to its
full extend in real life.

The reasons why old PGP 2 keys can't be used anymore are:

 - GnuPG 2.x dropped almost all support for those v3 (and v2) keys.
 - GnuPG does not anymore support the really broken MD5 hash algorithm
 - Some people fear collission attacks on SHA-1 keys and thus by default
   SHA-1 key signatures, as done for may years, are now not anymore usable.

Note that gpg 1.4 is still available to decrypt old encrypted data.

> change again and people will need to generate new keys?  What about
> key expiration, wouldn’t that cause a person to essentially have to
> start over with gathering signatures for new keys, or otherwise

It is possible and suggested to prolong the expiration time of a key.
However, some folks used a signature expiration time when doing their 3rd
party key signatures; this can only be solved by issuing a new key
signature.


Shalom-Salam,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260112/3be51524/attachment.sig>