Re: Moving to stronger keys than 1024D
On Sat, Oct 5, 2013 at 1:41 PM, Gunnar Wolf wrote:
> In addition to Paul's numbers, we have also the DM keyring, which is
> in a much better shape quite probably because it's much newer.
> - Give a suitable time window for the key migration and disable old
> keys. Jonathan gave a first suggestion of 6 months.
> - Actually reach out to people and make explicit that 1024D is *no
> longer enough*. We guess that some of them never paid too much
> attention to the issue, and those are the most likely to be "Debian
> outliers", not people inside the core group who meet year-to-year
> with the community and play the "get more signatures" game.
Yes please, via (at least mail to all of the non-revoked UIDs on all
these keys. Some of the people with 1024-bit keys are very active
(some in core teams) though so perhaps that should be restricted.
> - An idea to help said outliers is to use the data in LDAP to tell
> them who lives closest to them so they can get signatures more
> quickly. Of course, this has the disadvantage on relying on our
> (known-bogus and known-incomplete) LDAP geolocation data.
The city information in LDAP might be better, perhaps alongside these:
> - If we were to retire all 1024D keys today, we would lock out
> approx. two thirds of Debian. That's clearly unacceptable. I don't
> think it's feasible to attempt it until we are closer to the one
> third mark — And I'm still not very comfortable with it. But OTOH,
> it can help us pinpoint those keys that are not regularly used
> - People who have done MIA-tracking, do our tools report when was
> the last activity we saw in connection with a given key? I'd guess
> they do...
$ ssh qa.debian.org /srv/qa.debian.org/mia/mia-query pabs | grep -i pgp
activity-pgp:[Thu, 03 Oct 2013 13:51:38] "610B 28B5 5CFC FE45 EA1B
563B 3116 BA5E 9FFA 69A3" "<email@example.com>
> - Yes, Ansgar points out that it's still probably easier to steal a
> GPG key than to break it. Not all of us follow the safest computing
> techniques, do we?
Indeed, for example probably the majority of us use a web browser on
the same machine as our OpenPGP keys.
> (yes, sure, but what does well-connected mean‽)