Re: DAM Key and identity requirements

[Bastian Blank <waldi@debian.org>]

Hi Enrico

On Sun, Sep 13, 2020 at 09:11:04AM +0200, Enrico Zini (DAM) wrote:
>  * Minimum key size and acceptable algorithms are actually the domain of
>    keyring-maint, and we just check those for them.
>    At the time of writing this, a new key must be larger than 1024bits,
>    ideally at least 4096bits, and capable of hashes stronger than SHA1.
>    Please check [KDO] for more recent information.

Hmm, this page do not really read like some sort of policy.

It talks about key size in bits, which only applies to RSA.  What about
X25519?

>  * An encryption subkey must be present, since various parts of our
>    infrastructure require it.

Which parts?  While encryption subkeys are useful, I can't see anything
_requiring_ this.

>  * A signature subkey must be there, since various parts of our
>    infrastructure require it. Also, it is needed to build up trust (see
>    below).

Signing subkeys are pretty rare.  What is their use-case?

Also trust is built using certification, not signing (the C bit, not the
S bit).  I don't think subkeys can hold a certification setting.

Regards,
Bastian

-- 
I've already got a female to worry about.  Her name is the Enterprise.
		-- Kirk, "The Corbomite Maneuver", stardate 1514.0