A few months ago a group of researchers announced a fairly serious attack that shattered everyone’s faith in SHA-1. It has frightening implications for anyone who relies on cryptographic signatures, and while consensus is that there is little danger in the near-term, most people agree that now is the time to start a move to something stronger.
So, I’ve begun my transition, (document here), and submitted my new key for the Debconf9 signing party later this month. I intentionally left out any mention of a time-line in the transition doc, and I’m in no big hurry. I’ll retire the old key once I have enough signatures, or once there is evidence of a real threat, whichever comes first.