Russ Allbery dijo [Fri, Oct 04, 2013 at 08:57:26PM -0700]:
> I suspect that some of the problem is people feeling like they need to go
> through an in-person key signing to get their new key certified, which can
> be quite awkward depending on where one lives and how much day-to-day
> contact one has with other DDs. Perhaps we should make more public the
> idea that a key transition document signed with both keys and posted
> publicly is probably sufficient to warrant signing the new key if one has
> signed the old key? (Assuming that's actually true.)
Right. We were discussing this between Ansgar Burchardt, Jonathan
McDowell and myself (prompted by Ansgar, as he noticed the same
numbers Paul Wise has just posted, giving a reference that it was
mentioned in #d-security), and we do agree it is a high priority
issue.
In addition to Paul's numbers, we have also the DM keyring, which is
in a much better shape quite probably because it's much newer.
115 4096R
54 1024D
11 2048R
1 8192R
1 3072R
1 1280R
We have not yet pushed this further because both Jonathan and me are
currently under a very high workload (well, I don't want to talk for
Jonathan, but I have come to know his work patterns somewhat ;-) )
We made a big push during ~2009 to get people to migrate away from
(even) weaker PGP keys, and IIRC completed the move by 2010. And we
have invited people to move to 4096R, with some insistence back then,
but we have really slowed down the pressure (real-life issues maybe?)
During a brief interchange of mails, several ideas were floated:
- Give a suitable time window for the key migration and disable old
keys. Jonathan gave a first suggestion of 6 months.
- Actually reach out to people and make explicit that 1024D is *no
longer enough*. We guess that some of them never paid too much
attention to the issue, and those are the most likely to be "Debian
outliers", not people inside the core group who meet year-to-year
with the community and play the "get more signatures" game.
- An idea to help said outliers is to use the data in LDAP to tell
them who lives closest to them so they can get signatures more
quickly. Of course, this has the disadvantage on relying on our
(known-bogus and known-incomplete) LDAP geolocation data.
- If we were to retire all 1024D keys today, we would lock out
approx. two thirds of Debian. That's clearly unacceptable. I don't
think it's feasible to attempt it until we are closer to the one
third mark — And I'm still not very comfortable with it. But OTOH,
it can help us pinpoint those keys that are not regularly used
- People who have done MIA-tracking, do our tools report when was
the last activity we saw in connection with a given key? I'd guess
they do...
- Yes, Ansgar points out that it's still probably easier to steal a
GPG key than to break it. Not all of us follow the safest computing
techniques, do we?
- Ansgar says, and it's in line with Russ' suggestion «A compromise
for people in remote locations would be to allow them requesting key
replacement with a stronger key that is only signed by
themselves. The price would be a weaker WoT, but maybe that would be
okay for a few keys». This one makes me somewhat uneasy: Not
requiring signatures leads to a very easy (for some definition of
easy) way to steal a dormant account's personna. I'd really like to
keep the "two signatures needed" rule.
Yes, our WoT has naturally weakened due to bitrot
(i.e. cross-signatures made with keys which are later retired might
have created WoT islands), but we do have at least identity
assurance history. We could accept (although I don't know how
practical it'd be) a possibility to equate, say, two signatures by
well-connected people in the Free Software ecosystem to equate one
DD signature? (yes, sure, but what does well-connected mean‽)
Anyway, some random thoughts. I should really head to bed now.
Thanks to Pabs for kicking me into writing this mail! :)
Attachment:
signature.asc
Description: Digital signature