Re: Moving to stronger keys than 1024D

To: debian-project@lists.debian.org
Subject: Re: Moving to stronger keys than 1024D
From: Paul Wise <pabs@debian.org>
Date: Sat, 5 Oct 2013 13:58:50 +0800
Message-id: <[🔎] CAKTje6F-u-F15PsZ83-aHe6JjHA==AuawSgO1bmGQMSOgh8AyQ@mail.gmail.com>
In-reply-to: <[🔎] 20131005054140.GC32795@gwolf.org>
References: <[🔎] 20131004230239.GA13313@master.debian.org> <[🔎] CAKTje6FnLta3RNqBLxPE0hG6b2Y=Sd2wg1sM_cNtP8oZJ5cn5Q@mail.gmail.com> <[🔎] 877gdss72x.fsf@windlord.stanford.edu> <[🔎] 20131005054140.GC32795@gwolf.org>

On Sat, Oct 5, 2013 at 1:41 PM, Gunnar Wolf wrote:


> In addition to Paul's numbers, we have also the DM keyring, which is
> in a much better shape quite probably because it's much newer.

Good news.

> - Give a suitable time window for the key migration and disable old
>   keys. Jonathan gave a first suggestion of 6 months.

Sounds good.

> - Actually reach out to people and make explicit that 1024D is *no
>   longer enough*. We guess that some of them never paid too much
>   attention to the issue, and those are the most likely to be "Debian
>   outliers", not people inside the core group who meet year-to-year
>   with the community and play the "get more signatures" game.

Yes please, via (at least mail to all of the non-revoked UIDs on all
these keys. Some of the people with 1024-bit keys are very active
(some in core teams) though so perhaps that should be restricted.

> - An idea to help said outliers is to use the data in LDAP to tell
>   them who lives closest to them so they can get signatures more
>   quickly. Of course, this has the disadvantage on relying on our
>   (known-bogus and known-incomplete) LDAP geolocation data.

The city information in LDAP might be better, perhaps alongside these:

https://wiki.debian.org/LocalGroups
https://wiki.debian.org/Keysigning/Offers
https://wiki.debian.org/BSP
https://wiki.debian.org/DebianEvents

> - If we were to retire all 1024D keys today, we would lock out
>   approx. two thirds of Debian. That's clearly unacceptable. I don't
>   think it's feasible to attempt it until we are closer to the one
>   third mark — And I'm still not very comfortable with it. But OTOH,
>   it can help us pinpoint those keys that are not regularly used

Agreed.

>   - People who have done MIA-tracking, do our tools report when was
>     the last activity we saw in connection with a given key? I'd guess
>     they do...

They do:

$ ssh qa.debian.org /srv/qa.debian.org/mia/mia-query pabs | grep -i pgp
activity-pgp:[Thu, 03 Oct 2013 13:51:38] "610B 28B5 5CFC FE45 EA1B
563B 3116 BA5E 9FFA 69A3" "<debian-bugs-dist@lists.debian.org>
archive/latest/1010533" "<1380807999.31767.36.camel@chianamo>"

> - Yes, Ansgar points out that it's still probably easier to steal a
>   GPG key than to break it. Not all of us follow the safest computing
>   techniques, do we?

Indeed, for example probably the majority of us use a web browser on
the same machine as our OpenPGP keys.

> (yes, sure, but what does well-connected mean‽)

Strong set?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

References:
- Moving to stronger keys than 1024D
  - From: Aníbal Monsalve Salazar <anibal@debian.org>
- Re: Moving to stronger keys than 1024D
  - From: Paul Wise <pabs@debian.org>
- Re: Moving to stronger keys than 1024D
  - From: Russ Allbery <rra@debian.org>
- Re: Moving to stronger keys than 1024D
  - From: Gunnar Wolf <gwolf@gwolf.org>

Prev by Date: Re: Moving to stronger keys than 1024D
Next by Date: Re: Moving to stronger keys than 1024D
Previous by thread: Re: Moving to stronger keys than 1024D
Next by thread: Re: Moving to stronger keys than 1024D
Index(es):
- Date
- Thread