[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moving to stronger keys than 1024D

On Sat, Oct 5, 2013 at 1:41 PM, Gunnar Wolf wrote:

> In addition to Paul's numbers, we have also the DM keyring, which is
> in a much better shape quite probably because it's much newer.

Good news.

> - Give a suitable time window for the key migration and disable old
>   keys. Jonathan gave a first suggestion of 6 months.

Sounds good.

> - Actually reach out to people and make explicit that 1024D is *no
>   longer enough*. We guess that some of them never paid too much
>   attention to the issue, and those are the most likely to be "Debian
>   outliers", not people inside the core group who meet year-to-year
>   with the community and play the "get more signatures" game.

Yes please, via (at least mail to all of the non-revoked UIDs on all
these keys. Some of the people with 1024-bit keys are very active
(some in core teams) though so perhaps that should be restricted.

> - An idea to help said outliers is to use the data in LDAP to tell
>   them who lives closest to them so they can get signatures more
>   quickly. Of course, this has the disadvantage on relying on our
>   (known-bogus and known-incomplete) LDAP geolocation data.

The city information in LDAP might be better, perhaps alongside these:


> - If we were to retire all 1024D keys today, we would lock out
>   approx. two thirds of Debian. That's clearly unacceptable. I don't
>   think it's feasible to attempt it until we are closer to the one
>   third mark — And I'm still not very comfortable with it. But OTOH,
>   it can help us pinpoint those keys that are not regularly used


>   - People who have done MIA-tracking, do our tools report when was
>     the last activity we saw in connection with a given key? I'd guess
>     they do...

They do:

$ ssh qa.debian.org /srv/qa.debian.org/mia/mia-query pabs | grep -i pgp
activity-pgp:[Thu, 03 Oct 2013 13:51:38] "610B 28B5 5CFC FE45 EA1B
563B 3116 BA5E 9FFA 69A3" "<debian-bugs-dist@lists.debian.org>
archive/latest/1010533" "<1380807999.31767.36.camel@chianamo>"

> - Yes, Ansgar points out that it's still probably easier to steal a
>   GPG key than to break it. Not all of us follow the safest computing
>   techniques, do we?

Indeed, for example probably the majority of us use a web browser on
the same machine as our OpenPGP keys.

> (yes, sure, but what does well-connected mean‽)

Strong set?



Reply to: