On 12/26/2013 06:18 PM, Nick Kew wrote:
> You're ahead of us. Individual Apache folks like Jim have taken
> responsibility and moved to 4096-bit keys, but we haven't as a
> community had the discussion that might lead to pruning KEYS.
> My inclination is to say NO to requiring anyone to remove old keys,
> but YES to encouraging strong keys to sign all releases.
Thanks for considering this, Nick.
At the moment, some of your downstreams have the impression that KEYS
indicates all of the keys that apache might use to sign releases. For
example, in http://bugs.debian.org/732450#22 Arno Töll writes:
>> Therefore, I thought a more complete patch would be a keyring which
>> includes all signatures of people allowed to sign and release code on
>> behalf of the httpd project.
Maybe you could update the preamble of KEYS to indicate that only strong
keys (and please clearly define "strong" if y'all are making this
policy) will be used to sign releases?
> That may be an issue for some Apache folks. For myself, my newer
> (4096-bit) key has fewer sigs than my old 1024-bit, though not
> catastrophically so. What is perhaps more of an issue is that hardly
> any of the signatures on the new key are from Apache folks, as I have
> (alas) not made it to Apachecon for a couple of years now. Others may
> have a range of reasons for retaining older keys.
Your 4096-bit key (0x3CE3BAC2EB7BBC624D1D22D8F3B9D88CB87F79A9) appears
to be certified by nearly 60 other keys -- including at least a couple
debian developers and Nikos Mavrogiannopolous (the lead GnuTLS
developer). I can't speak for all of debian, but i think a strong key
connected by a few paths to other established free software developers
is more reliable than a weak key connected by dozens of paths.
The keys themselves should not be the weak point in our cryptosystems.
>  Key IDs 40581837 and B87F79A9
(i recommend using full fingerprints instead of keyids if you have to
communicate about a specific key: