On Wed, Jul 18, 2012 at 10:23:08AM -0700, Jonathan McDowell wrote:
If the attacker doesn't actually have the old key but was able to get it to sign the new key + transition statement then even worse the attacker can now read something they otherwise couldn't.
I think this is the crux of it. How could the above happen? If the attacked has signed the transition statement with the old key, hasn't he already compromised the old key? This is a sincere question, I'm open to be convinced.
If its possible to forge the signed transition statement, without compromising the old key, then there is merit to trusting the old key and not the new one. On the other hand, if you reach the conclusion that the only way to sign the transition statement is to compromise the old key, then you may as well trust the new key -- there is no significant risk of the new key being compromised although the old one is not.
Richard