Policy For Sunsetting GPG Keys < 2048 Bits
Scott Kitterman
ubuntu at kitterman.com
Wed Nov 26 23:09:41 UTC 2014
As many of you know, Debian is in the process of terminating use of 1024 bit
keys due to near term security concerns [1]. In Ubuntu, we should probably do
this too, but since any developer can replace an existing key via the
Launchpad U/I and there's no requirement to get keys signed through web of
trust, we ought to be able to do it much faster.
Some data [2]
Ubuntu has a total of 207 uploaders.
Ubuntu has a total of 314 GPG keys with upload privileges tied to them.
Here are rough status on the number of primary and sub-keys and their sizes:
119 pub dsa1024
2 pub dsa3072
1 pub dsa768
2 pub rsa1024
1 pub rsa10240
1 pub rsa2047
56 pub rsa2048
1 pub rsa3072
120 pub rsa4096
1 pub rsa8192
1 sub dsa3072
27 sub elg1024
2 sub elg1536
71 sub elg2048
16 sub elg4096
1 sub elg768
9 sub rsa1024
1 sub rsa10240
66 sub rsa2048
8 sub rsa3072
1 sub rsa4064
112 sub rsa4096
While this does affect a significant number of keys, it's easy for people to
upgrade, so this transition doesn't have to take a long time. On IRC
(#ubuntu-release) we discussed the idea of, once a policy is decided on,
having a U-D-A announcement, followed by individual nag mails, and warnings
after uploads with keys that are about to be disabled. There was some
discussion about if PPAs should have the same restriction or now.
Discuss...
Scott K
[1] https://lists.debian.org/debian-devel-announce/2014/11/msg00004.html
[2] Thanks to stgraber, xnox, and wgrant
More information about the technical-board
mailing list