[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!

I have just pushed our pseudo-monthly batch of keyring updates to
Debian. I am happy to inform you that, while the situation described
in Clint Adams' interesting assessment of the state of the Debian
keyring¹ (and the quite constructive conversation that followed) still
holds, and we still have way too many weak (1024D) keys in the Debian
keyring, we got a noticeable effect as a result of said thread: 20 key
upgrade requests in somewhat over a one week period! (mostly from DDs,
with two from DMs IIRC).

So, for any DD or DM reading this and not following the debian-project
list where this thread took place:

As keyring maintainers, we no longer consider 1024D keys to be
trustable. We are not yet mass-removing them, because we don't want to
hamper the project's work, but we definitively will start being more
aggressively deprecating their use. 1024D keys should be seen as
brute-force vulnerable nowadays. Please do migrate away from them into
stronger keys (4096R recommended) as soon as possible.

If you have a key with not-so-many active DD signatures (with
not-so-many ≥ 2) waiting to get it more signed, stop waiting and
request the key replacement².

If you do not yet have a 4096R key, create a new one³ as soon as
possible and get some signatures on it. Once ≥2 DDs have signed it,
please request us to replace your old key. If you cannot get to meet
two DDs in person, please talk to us⁴ and we will find out what to do.

    - Gunnar Wolf


¹ https://lists.debian.org/debian-project/2014/02/msg00119.html
² http://keyring.debian.org/replacing_keys.html
³ http://keyring.debian.org/creating-key.html
⁴ keyring-maint@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: