Hi apache folks--
In http://bugs.debian.org/732450, debian is preparing to
cryptographically verify OpenPGP signatures on apache upstream tarballs.
As part of the dicsussion, it's become clear that some of the keys in
https://www.apache.org/dist/httpd/KEYS are weak by any modern
consideration of public key cryptography. Could this set of keys be
pruned?
There are keys in that keyring that are nearly 20 years old, including
several 1024-bit RSA and 1024-bit DSA keys (and even one 999-bit RSA key
and one 768-bit RSA key!) 1024-bit DSA and RSA keys have been clearly
and explicitly deprecated by NIST since the end of 2010 [0]. At least
one 768-bit RSA key has actually been factored directly, 4 years ago
[1].
I really hope that apache is not still signing source tarballs with
those weak keys. And i am hoping that debian wouldn't consider such a
signature as legitimate. I note that the latest releases of 2.2.x and
2.4.x are signed by Jim Jagielski's 4096-bit RSA key, over a digest of
SHA-512. These are totally reasonable, modern, reliable choices :)
Could someone at apache clean up the KEYS file to only include strong
keys? I'd recommend removing all DSA and RSA keys < 3072 bits in
length, to aim for a minimum expected 128-bit symmetric-key equivalence.
Clearly, cryptographic signatures on distributed tarballs are not the
only security risk that apache downstreams encounter; but there's no
reason that they should be subject to compromise either, since we have
stronger algorithms available.
Regards,
--dkg
PS please keep me in the CC if there's more discussion; i've subscribed
to http-dev to try to clarify this, but can't cope with yet another
e-mail firehose for the long term. :/
[0] pp. 63-66 of http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
[1] https://en.wikipedia.org/wiki/RSA_numbers#RSA-768
Attachment:
pgpKQeLM9okSN.pgp
Description: PGP signature