[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Removing < 2048 bit keys from the Debian keyrings

5 years ago we started to get worried about the strength of the OpenPGP
keys. In May 2009 I stated in a mail to d-d-a[0] that as a project we
should be making an orderly move towards stronger keys but not at the
expense of our Web of Trust.

In September 2009 I reminded[1] people to ensure they're new keys had a
reasonable number of signatures before requesting replacement.

On October 1st 2010 we stopped[2] accepting new keys that were smaller
than 2048 bits to the Debian keyrings.

This year, in March[3], we stated that while we were not yet doing a mass
removal we were aggressively deprecating the use of 1024 bit keys.

Earlier this week I sent emails directly to the 650+ Debian Developers
and Debian Maintainers who still have keys less than 2048 bits in our
keyrings. This informed them that their key will be removed from the
relevant keyring at the end of the year (31st December 2014).

I am pleased to report that we have already seen 40+ requests for
replacement submitted to RT as a result, and expect to see more during
the weeks after DebConf. I would ask that DDs make some effort to help
those with weak keys get their new, stronger keys signed. Please sign
responsibly[4], this is an opportunity for us to improve our web of

J, on behalf of keyring-maint.

[0] https://lists.debian.org/debian-devel-announce/2009/05/msg00005.html
[1] https://lists.debian.org/debian-devel-announce/2009/09/msg00011.html
[2] https://lists.debian.org/debian-devel-announce/2010/09/msg00003.html
[3] https://lists.debian.org/debian-devel-announce/2014/03/msg00003.html
[4] http://xkcd.com/364/

/-\                             |           We fear change.
|@/  Debian GNU/Linux Developer |
\-                              |

Attachment: signature.asc
Description: Digital signature

Reply to: