Policy For Sunsetting GPG Keys < 2048 Bits

Scott Kitterman ubuntu at kitterman.com
Wed Nov 26 23:09:41 UTC 2014

As many of you know, Debian is in the process of terminating use of 1024 bit 
keys due to near term security concerns [1].  In Ubuntu, we should probably do 
this too, but since any developer can replace an existing key via the 
Launchpad U/I and there's no requirement to get keys signed through web of 
trust, we ought to be able to do it much faster.

Some data [2]

Ubuntu has a total of 207 uploaders.
Ubuntu has a total of 314 GPG keys with upload privileges tied to them.

Here are rough status on the number of primary and sub-keys and their sizes:

    119 pub   dsa1024
      2 pub   dsa3072
      1 pub   dsa768
      2 pub   rsa1024
      1 pub   rsa10240
      1 pub   rsa2047
     56 pub   rsa2048
      1 pub   rsa3072
    120 pub   rsa4096
      1 pub   rsa8192
      1 sub   dsa3072
     27 sub   elg1024
      2 sub   elg1536
     71 sub   elg2048
     16 sub   elg4096
      1 sub   elg768
      9 sub   rsa1024
      1 sub   rsa10240
     66 sub   rsa2048
      8 sub   rsa3072
      1 sub   rsa4064
    112 sub   rsa4096

While this does affect a significant number of keys, it's easy for people to 
upgrade, so this transition doesn't have to take a long time.  On IRC 
(#ubuntu-release) we discussed the idea of, once a policy is decided on, 
having a U-D-A announcement, followed by individual nag mails, and warnings 
after uploads with keys that are about to be disabled.  There was some 
discussion about if PPAs should have the same restriction or now.


Scott K

[1] https://lists.debian.org/debian-devel-announce/2014/11/msg00004.html
[2] Thanks to stgraber, xnox, and wgrant

More information about the technical-board mailing list