What is the forums take on 1.1.5? The requirement states: "Securely delete any cryptographic key material or cryptogram stored by previous versions of the software."

How literally should one take this? I generally use a broad stroke of the brush and say "securely delete any keys you are no longer using PERIOD". But my position is being challenged so I'm looking for either support or guidance as to where to draw the line.

My take on it is the same as yours. I haven't run into your situation before. I have had to do a little teaching about the implications of not-deleting the keys and such (like the risk of past-end-of-life-data you thought you got rid of coming back to bite you).

I'd be looking to see installarion processes that ensure new keys overwrite/delete the previous ones, not just get added to a key store (e.g. java) or registry location (e.g. Windows), or new keystores are created during the install as is commonly the case in some crypto frameworks.
In such cases, the old keys hang around, just waiting to be misused.

The more complex element in my view is the term 'cryptogram'.
Is this any data encrypted by the previous version?

lyalc