[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from keyring-maint

On Wed, Sep 15, 2010 at 03:14:48PM +0200, Marco d'Itri wrote:
> On Sep 15, Christian PERRIER <bubulle@debian.org> wrote:
> > > I would like to know the process which lead to selecting these
> > > figures.
> > Apparently, just like many other things in the project: the folks
> > doing the work (and appointed for this by the project through the
> > DPL) examine the situation, make plans and decisions and then
> > announce them.
> I suppose that this was not the result of cargo cult engineering, so
> if these new recommended key values have been selected as the result
> of a process I am curious to know the rationale which lead to the
> choice.  It really looks like a simple question to me.
> I am just asking for a rationale. I would like to know if the new
> recommended key values have been selected as the result of a process,
> and what the rationale is, or if this is cargo cult engineering.

The key driver is moving away from SHA-1 based keys, but as part of the
same process we want to increase key length from 1024 bits. If you're
generating a new key and have no reason not to do so then we're
recommending 4096 bits (as the largest easily generated size with our
current tools). Yes, this is way beyond what anyone is going to be able
to attack, and there are many, many other easier attack vectors people
could use against Debian instead, but we do end up with keys hanging
around for a long time (10+ years in many cases) and we feel it makes
sense to rule out key strength as a problem given the increases in
processing power since we started out with 1024 bits.

We won't refuse 2048 bit keys; whether that be because you're using a
hardware OpenPGP smartcard, or have a slower machine and feel it makes a
big difference, or have just made an reasoned out decision that this is

J. (wearing a rather fetching keyring-maint hat)

Web [    101 things you can't have too much of : 29 - T-shirts.    ]
site: http:// [                                          ]       Made by
www.earth.li/~noodles/  [                      ]         HuggieTag 0.0.24

Attachment: signature.asc
Description: Digital signature

Reply to: