Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file

To: dev@httpd.apache.org
Cc: 732450@bugs.debian.org
Subject: Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 27 Dec 2013 10:49:22 -0500
Message-id: <[🔎] 52BDA182.9080502@fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 732450@bugs.debian.org
In-reply-to: <[🔎] 2CEF92DE-4477-4BA1-9852-21327A09F53F@webthing.com>
References: <[🔎] 87sitfl1xd.fsf@alice.fifthhorseman.net> <[🔎] 2CEF92DE-4477-4BA1-9852-21327A09F53F@webthing.com>

On 12/26/2013 06:18 PM, Nick Kew wrote:
> You're ahead of us.  Individual Apache folks like Jim have taken
> responsibility and moved to 4096-bit keys, but we haven't as a
> community had the discussion that might lead to pruning KEYS.
> My inclination is to say NO to requiring anyone to remove old keys,
> but YES to encouraging strong keys to sign all releases.

Thanks for considering this, Nick.

At the moment, some of your downstreams have the impression that KEYS
indicates all of the keys that apache might use to sign releases.  For
example, in  http://bugs.debian.org/732450#22 Arno Töll writes:

>> Therefore, I thought a more complete patch would be a keyring which
>> includes all signatures of people allowed to sign and release code on
>> behalf of the httpd project.

Maybe you could update the preamble of KEYS to indicate that only strong
keys (and please clearly define "strong" if y'all are making this
policy) will be used to sign releases?

Nick again:
> That may be an issue for some Apache folks.  For myself, my newer
> (4096-bit) key has fewer sigs than my old 1024-bit[1], though not
> catastrophically so.  What is perhaps more of an issue is that hardly
> any of the signatures on the new key are from Apache folks, as I have
> (alas) not made it to Apachecon for a couple of years now.  Others may
> have a range of reasons for retaining older keys.

Your 4096-bit key (0x3CE3BAC2EB7BBC624D1D22D8F3B9D88CB87F79A9) appears
to be certified by nearly 60 other keys -- including at least a couple
debian developers and Nikos Mavrogiannopolous (the lead GnuTLS
developer).  I can't speak for all of debian, but i think a strong key
connected by a few paths to other established free software developers
is more reliable than a weak key connected by dozens of paths.

The keys themselves should not be the weak point in our cryptosystems.

> [1] Key IDs 40581837 and B87F79A9

(i recommend using full fingerprints instead of keyids if you have to
communicate about a specific key:
  https://www.debian-administration.org/users/dkg/weblog/105)

Regards,

	--dkg

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
  - From: Frederick Miller <fjmiller11@gmail.com>

References:
- Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
  - From: Nick Kew <nick@webthing.com>

Prev by Date: Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
Next by Date: Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
Previous by thread: Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
Next by thread: Bug#732450: please sign new apache releases only with strong keys -- trimming the KEYS file
Index(es):
- Date
- Thread