[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file

On 26 Dec 2013, at 21:47, Daniel Kahn Gillmor wrote:

> As part of the dicsussion, it's become clear that some of the keys in
> https://www.apache.org/dist/httpd/KEYS are weak by any modern
> consideration of public key cryptography.  Could this set of keys be
> pruned?

You're ahead of us.  Individual Apache folks like Jim have taken
responsibility and moved to 4096-bit keys, but we haven't as a
community had the discussion that might lead to pruning KEYS.
My inclination is to say NO to requiring anyone to remove old keys,
but YES to encouraging strong keys to sign all releases.

What is Debian's view on the relative importance of key size vs breadth
and depth of the WoT surrounding a key?  I would tend to find an ancient
1024-bit key with 100 strong-set sigs much more reassuring than a shiny
new 4096-bit with just 1 (let alone any number of non-strong-set keys)!

That may be an issue for some Apache folks.  For myself, my newer
(4096-bit) key has fewer sigs than my old 1024-bit[1], though not
catastrophically so.  What is perhaps more of an issue is that hardly
any of the signatures on the new key are from Apache folks, as I have
(alas) not made it to Apachecon for a couple of years now.  Others may
have a range of reasons for retaining older keys.

[1] Key IDs 40581837 and B87F79A9

Nick Kew

Reply to: