Re: DAM Key and identity requirements
Mattia Rizzolo dijo [Thu, Sep 24, 2020 at 11:45:48AM +0200]:
> > > * Minimum key size and acceptable algorithms are actually the domain of
> > > keyring-maint, and we just check those for them.
> > > At the time of writing this, a new key must be larger than 1024bits,
> > > ideally at least 4096bits, and capable of hashes stronger than SHA1.
> > > Please check [KDO] for more recent information.
> >
> > Hmm, this page do not really read like some sort of policy.
> >
> > It talks about key size in bits, which only applies to RSA. What about
> > X25519?
>
> You should bring that to the keyring-maints. However I can tell you that
> EC keys are pretty much always considered good.
FWIW my key is EC25519. We doubted at first due to support for it not
being present in gnupgv1.x, but that's no longer an issue (no part of
Debian infrastructure runs below oldoldstable, which has 2.0.26).
> > * A signature subkey must be there, since various parts of our
> > > infrastructure require it. Also, it is needed to build up trust (see
> > > below).
> >
> > Signing subkeys are pretty rare. What is their use-case?
>
> I believe the *sub*key bit was wrong, it most likely was talking about
> signing capabilities (like above for encryption, it's all about
> capabilities, not subkeys)
Right.
Reply to: