Re: [Debconf-discuss] DebConf15: Last call for keys for keysigning in Heidelberg, Germany

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On Tue 2015-08-04 03:59:16 -0400, Jonathan McDowell wrote:
> | I can think of no good reason to be including these keys in the DC14
> | keysigning and in fact believe that it is actively harmful for us to be
> | encouraging people to continue propagating the use of 1024 bit keys. I
> | hope that all 6 keys are from people who have also generated larger
> | keys, but even if they're not I would like to request that they are
> | removed from the DC14 keysigning keyring.
>
> Aníbal responded and asked if anyone had any objections to removing the
> 1024D keys. There were none, so he did.
>
> I stand by my statement from last year. While the keysigning party is,
> as you say, not the Debian keyring it is not the case that the keyring
> team arbitrarily decided to move away from 1024 bit keys. It was a
> decision taken in the wider crypto context.

I agree with Jonathan's assessment here.  Would we be willing to
propagate 512-bit RSA keys in the keysigning announcement?  768-bit RSA
keys?  keys with known vulnerabilities?

The organizers of the debian KSP have some level of responsibility to
the community as a whole to set baseline norms, and 1024-bit DSA or RSA
keys are well below the kinds of baseline norms we should be adopting in
2015.

        --dkg