[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PGP v3 key support to be dropped from Debian keyring

About this time last year there was some concern over the security of
SHA-1 and the beginnings of a move to stronger keys using SHA-2. I wrote
a mail to d-d-a[0] indicating that keyring-maint was in favour of moving
to strong hashes, and in particular was keen to remove all the legacy v3
keys that were still active.

I have sent numerous mails over the past year to try and chase DDs with
v3 keys to generate a new v4 key that is linked into to our web of
trust. In that time we've gone from 200 v3 keys down to 20. While it
would be nice to get this number to 0 before dropping support it seems
unlikely that this will happen; in my mail last September[1] I'd stated
that I hoped the transition would be completed by Christmas, but there
were still people trying to delay beyond that point.

So, on 1st July 2010 keyring-maint will remove all v3 keys from the
active Debian keyring; debian-keyring.pgp will become an empty file (we
will cease to generate it at all once DSA and ftp-master have confirmed
none of their tools are using it any longer).

We will allow a 2 month period after this date where we will accept a
signature from an old v3 key as part of a trust chain to a new v4 key;
it will still require a signature from another DD (and ideally 2). On
1st September 2010 we will no longer trust any v3 keys as part of key

All affected DDs have been mailed several times about replacing their
key, but just in case they've managed to miss the mails to d-d-a, the
direct mails or my blog post[2] here is the complete list of affected

0x0D2156BD3D97C149 Michael Stone <mstone>
0x225FD911CD269B31 Carlos Barros <cbf>
0x31E73F14E298966D James R. Van Zandt <jrv>
0x366CD3FEEBC11B01 Chris Waters <xtifr>
0x37A73FE355E8BC4D Frederic Lepied <lepied>
0x3E973117DCC528E9 Ardo van Rangelrooij <ardo>
0x5C7A46637953F711 Rich Sahlender <rsahlen>
0x5D6560F85F30F005 Craig Brozefsky <craig>
0x6B0E322836129171 Jim Westveer <jwest>
0x723724B4A5B6DD31 Christian Meder <meder>
0x8FFC405EFD5A67CD Adam Di Carlo <aph>
0xB0D269DE17F3D4D1 Matthew Vernon <matthew>
0xBC151FC8D2A913A1 Peter S Galbraith <psg>
0xC1A0A171C2DCD3B1 Jim Mintha <jmintha>
0xC3168EBA23F5ADDB Ian Jackson <iwj>
0xCE951B1160D74C7D Patrick Cole <ltd>
0xE82A8B0D57137FE5 Paul Seelig <pseelig>
0xF20E242CE77AC835 Brian White <bcwhite>
0xFBAA570C3087194D Alan Bain <afrb2>
0xFFD1B4AC7C19FD19 David Engel <david>

I suspect some of these developers are MIA (and have been in contact
with the MIA team); only 2 votes in the recent DPL election. 7 have
failed to make any response to my mails. 9 have uploaded packages since
August 2008. And 9 were already known to the MIA database. Some have
stated they will try and sort out a new key, but have not yet managed to
do so.

If you are one of these people, please either get a new key sorted and
signed and reply to the mails I've sent you, or reply and say you no
longer wish to be involved in Debian. And if you know any of these
people, encourage them to get a new key sorted and offer to sign it for

J, with his keyring-maint hat on.

[0] http://lists.debian.org/debian-devel-announce/2009/05/msg00005.html
[1] http://lists.debian.org/debian-devel-announce/2009/09/msg00011.html
[2] http://www.earth.li/~noodles/blog/2010/04/out-damnd-pgp-v3.html

"Just chill. What's with all the rush? Debian is brewed longer for a
stronger, fresher taste. We only release it when it's ready." --
Robster, posting to debian-devel about Woody.

Attachment: signature.asc
Description: Digital signature

Reply to: