Policy For Sunsetting GPG Keys < 2048 Bits

Stéphane Graber stgraber at ubuntu.com
Thu Nov 27 16:31:09 UTC 2014

On Thu, Nov 27, 2014 at 09:01:20AM +0000, Mark Shuttleworth wrote:
> On 27/11/14 00:05, Kees Cook wrote:
> >
> > I think we should have the same policy for PPAs, and it should follow the
> > same timeline. Additionally, we should have LP reject uploading weak keys,
> > which could happens early in the transition timeline.
> >
> > (Seems like we should ditch DSA keys entirely, and all RSA less than 2048.)
> >
> Are any of the ECC algorithms widely trusted yet? Seem nice and
> efficient with SSH at least.
> Mark

I agree that ECC is pretty nice and that's my default for SSH nowadays,
unfortunately ECC support in GPG was only added in version 2.1 which was
released less than a month ago.

ECDSA SSH keys support in Launchpad is a whole different topic. We've
had support for ECDSA keys in sshd since at least 12.04 so I think it
can be considered widely available. The problem however is that
Launchpad uses twisted's implementation of SSH which currently only
supports RSA and DSA.

For GPG ECC key, I think we should definitely keep an eye on it and when
GPG 2.1 lands in the distro, make sure that the various tools work
properly with them. Then once our infrastructure is on a LTS version
with GPG 2.1 support (likely 16.04) we should definitely start allowing
those in Launchpad and probably update our documentation to recommend

As for the original post, I agree that we should be rejecting DSA GPG
keys entirely and any RSA key which is < 2048bit.

The TB only really has control over Ubuntu so I don't think that call is
up to us, but I'd certainly be happy to see Launchpad enforce the same
thing for PPAs.

For the timeline, as was said before, we can do all this pretty quickly,
the Launchpad code changes being our bottleneck here. I think we should
absolutely have this done before the 15.04 release and hopefully quite a
bit before that.

Stéphane Graber
Ubuntu developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20141127/55c8f1f5/attachment.pgp>

More information about the technical-board mailing list