As a sidenote, I beleive it's 2 years once you collect some amount of
Assurance Points.

 
I would second this request - with the one year signature validity on
keys, trust during the transition could be accommodated by cross signing
the new and old keys for a year, then retiring the old one completely
(by either expiration or revocation), since no one would have a valid
signature after that point from the old key.

A 4096 bit or larger key should have many years left, but could also be
restricted to a shorter time frame as we 'chase the moving target' of
security. (The chance that a key we could create today meeting security
requirements needed in 30 years is likely ludicrous)

What would it take to have someone look at prioritizing this?  Would
this need development to be achieved, or just time from those with
access to accomplish key creation, cross signing, documentation updates
(system and in the list of root keys), and then finally replacement?

Gary
is DSA 1024? It should have been considered as insecure since a long
time ago for CA usage. The key was generated in 2003. > > A bug was
reported : http://bugs.cacert.org/view.php?id=1278 > but no activity. >
insecure. > > As CACert only signs the users keys for a one-year period
(which is very short), I don't think the change would break a long-term
chain of trust. > > OpenPGP WoT is a great feature of CACert but I think
that with such security parameters it is not safe to use it and would
better be removed if not updated. > > CACert OpenPGP Key listed here:
https://www.cacert.org/index.php?id=3 > > By the way, thanks to
everybody who built and maintained this project across the years. > >
Regards. > -- > Bastien