Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!

To: debian-project@lists.debian.org, debian-devel@lists.debian.org

Cc: debian-devel-announce@lists.debian.org

Subject: Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!

From: Reuben Thomas <rrt@sc3d.org>

Date: Mon, 3 Mar 2014 19:37:53 +0000

Message-id: <CAOnWdojPi_0YoUr1fZaSz5Hs5_FZw2eUxXDN-ZFWUoeOamB9+Q@mail.gmail.com>

In-reply-to: <20140303181359.GA68761@gwolf.org>

References: <20140303181359.GA68761@gwolf.org>

On 3 March 2014 18:13, Gunnar Wolf <gwolf@gwolf.org> wrote:

As keyring maintainers, we no longer consider 1024D keys to be
trustable. We are not yet mass-removing them, because we don't want to
hamper the project's work, but we definitively will start being more
aggressively deprecating their use. 1024D keys should be seen as
brute-force vulnerable nowadays. Please do migrate away from them into
stronger keys (4096R recommended) as soon as possible.

Please could you change https://wiki.debian.org/DebianMaintainer , which currently says a ">= 2048 bit" key is required (I assume this is still correct) but does not specifically recommend 4096? I recently became a DM, and created a 2048 bit key to do so, as that satisfied the advice given on that page, and also happened to be the default length offered by GPG on my system. Only after I'd had it signed and uploaded it did I find advice that new keys should be 4096 bits.

(I've already reported this issue in a couple of different places; the page is not user-editable or I'd've fixed it myself!)

Reply to: