On 12/23/2013 06:48 AM, Arno Töll wrote: > thanks for that suggestion. I added your patch for the upcoming package > upload. great, thank you! > I did, however, add the full keyring of Apache developers that > /could/ sign a release as listed in http://www.apache.org/dist/httpd/KEYS While we're talking about cryptographic controls: please fetch these sorts of files in the future using https instead of http, if you can. it looks to me like all of apache's mirror there is available under https :) There are keys in that keyring that are nearly 20 years old, including several 1024-bit RSA and 1024-bit DSA keys (and even one 999-bit RSA key and one 768-bit RSA key!) Keys of this size have been clearly and explicitly deprecated by NIST since the end of 2010 [0]. at least one 768-bit RSA key has actually been factored directly, 4 years ago [1]. Debian really should not be relying on weak keys. Jim Jagielski's release signing key is fine -- a 4096-bit RSA key created in 2010. There are several other comparably strong keys in the KEYS keyring that i'd be fine adding. But if apache is issuing cryptographic signatures from any of the weak keys in KEYS, we should encourage them to stop doing so. Apache's source code is a high-value target, and we should not leave the software distribution mechanism open to fiddling based on weak keys for cryptographic certifications. (and before someone objects: yes, there are other ways that an adversary might be able to inject bad code into apache; that doesn't mean that we should leave open the holes that we know how to close) I recommend filtering KEYS by removing every key whose primary key (or any signing-capable subkey) is less than 3072 bits (assuming RSA or DSA keys here) before storing it in debian/upstream-signing-key,pgp. Regards, --dkg [0] pp. 63-66 of http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf [1] https://en.wikipedia.org/wiki/RSA_numbers#RSA-768
Attachment:
signature.asc
Description: OpenPGP digital signature