[Bug 1461834] Re: 1024-bit signing keys should be deprecated
Bob Freeman
bobfreeman at nycmail.com
Sun May 7 20:53:33 UTC 2017
Sign with two keys then, and try to tell people. After a period of time
you could disable the old key (ie no longer sign anything with it) - for
anyone who still hasn't updated their configuration their system will
still work, but instead of updates they would get errors. Then they
would update their config.
(Note that all PPA packages are already available through TLS, eg
https://launchpad.net/~fnu/+archive/ubuntu/main-
fnu/+build/8797131/+files/cmake-qt-gui_2.8.12.2-3_amd64.deb but only for
manual download. It is not used automatically by apt, so to be secure
you have to identify and manually download a lot of packages. These can
be found through the 'View package details' link at the top right on all
PPA main pages)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
1024-bit signing keys should be deprecated
Status in Launchpad itself:
New
Status in apt package in Ubuntu:
Invalid
Status in gnupg2 package in Ubuntu:
New
Bug description:
1024-bit RSA was deprecated years ago by NIST[1], Microsoft[2] and
more recently by others[3].
1024-bit signing keys are insufficient to guarantee the authenticity
of software distributed from Launchpad.net including PPAs. There
should be a mechanism to refuse signing keys below a minimum key
length based on key type. 1024-bit signing keys should be deprecated
and removed from Launchpad.net itself ASAP. Future projects and PPAs
should be disallowed from using 1024-bit signing keys.
1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions
More information about the foundations-bugs
mailing list