Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Xavier Roche dijo [Wed, Mar 05, 2014 at 06:47:13PM +0100]: I would tend to side more with Odyx here in that the keys are still considered trustworthy enough to be in the keyring but we're encouraging moving to stronger keys and no longer accepting these keys to be included. Yes, this was my thoughts, too. Or, to rephrase it: 1024D keys will soon be breakable (let's say in few years), but at this present time, they are still trustworthy enough to allow transition. It doesn't mean that eventually, they'll be considered untrustworthy, later. Right. But we do want to phase them out *completely* before they are considered untrustworthy: We want to push gently as far as possible so that most active DDs have 4096R, and then only deal with the long tail of deprecated keys *while still not exposing ourselves* to impersonation. signature.asc Description: Digital signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Le mercredi, 5 mars 2014, 10.47:07 Paul Wise a écrit : On Wed, Mar 5, 2014 at 1:55 AM, Xavier Roche wrote: I have a rather silly question: would a mail (signed with this key) request to the DDs who already signed the initial key (and checked the identity) to sign the replacement key considered unreasonable ? Considering that the initial keys are now considered weak, I expect that it would be reasonable for people to not trust a key transition statement where the only available trust anchor is the old weak key. Well, the project currently considers these old keys to be trustworthy enough to let the people who control them to upload any packages on the archive (modulo these keys are in the uploading keyring). If we trust that the people behind the keys haven't changed, we should let them use easy ways to stronger keys. On the other hand, if we think the keys have been compromised, then we should really drop the upload rights! Cheers, OdyX -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1698122.Pbb9aiM70E@gyllingar
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Le 05/03/2014 10:01, Didier 'OdyX' Raboud a écrit : Le mercredi, 5 mars 2014, 10.47:07 Paul Wise a écrit : On Wed, Mar 5, 2014 at 1:55 AM, Xavier Roche wrote: I have a rather silly question: would a mail (signed with this key) request to the DDs who already signed the initial key (and checked the identity) to sign the replacement key considered unreasonable ? Considering that the initial keys are now considered weak, I expect that it would be reasonable for people to not trust a key transition statement where the only available trust anchor is the old weak key. Well, the project currently considers these old keys to be trustworthy enough to let the people who control them to upload any packages on the archive (modulo these keys are in the uploading keyring). If we trust that the people behind the keys haven't changed, we should let them use easy ways to stronger keys. On the other hand, if we think the keys have been compromised, then we should really drop the upload rights! Hi, On the same line of thought, couldn't we manage something with videoconferencing tools, at least for key renewal? Just to check that the person I'm signing the new key resembles the one I met a couple of years ago. I'm quite sure I would still be able to identify most of the DDs whose key I signed. Kind regards, Thibaut. signature.asc Description: OpenPGP digital signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On 05.03.2014 04:01, Didier 'OdyX' Raboud wrote: Le mercredi, 5 mars 2014, 10.47:07 Paul Wise a écrit : On Wed, Mar 5, 2014 at 1:55 AM, Xavier Roche wrote: I have a rather silly question: would a mail (signed with this key) request to the DDs who already signed the initial key (and checked the identity) to sign the replacement key considered unreasonable ? Considering that the initial keys are now considered weak, I expect that it would be reasonable for people to not trust a key transition statement where the only available trust anchor is the old weak key. Well, the project currently considers these old keys to be trustworthy enough to let the people who control them to upload any packages on the archive (modulo these keys are in the uploading keyring). If we trust that the people behind the keys haven't changed, we should let them use easy ways to stronger keys. On the other hand, if we think the keys have been compromised, then we should really drop the upload rights! Cheers, OdyX I would tend to side more with Odyx here in that the keys are still considered trustworthy enough to be in the keyring but we're encouraging moving to stronger keys and no longer accepting these keys to be included. The subject of compromise is a totally different situation than this and would obviously need to be handled differently as you should no longer trust the key entirely and should be removed. I started the move to the high bit RSA key because of deciding to make the move to using the OpenPGP smartcard which only supported RSA and not DSA. This was not because I have any reason to believe my key was compromised or that I had lost the private key data. Given the lengths I go to verify identity, control of private key data and the email addresses listed in the UID of the key, I might consider an encrypted challenge requesting signing a new replacement key provided the assurance that the original key had not been compromised and the keys were cross-signed. Though it is something I would most likely take on a case by case basis. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/b5138e433b5218bb143b9cfa191db...@undergrid.net
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Le 05/03/2014 15:05, Jeremy T. Bouse a écrit : I would tend to side more with Odyx here in that the keys are still considered trustworthy enough to be in the keyring but we're encouraging moving to stronger keys and no longer accepting these keys to be included. Yes, this was my thoughts, too. Or, to rephrase it: 1024D keys will soon be breakable (let's say in few years), but at this present time, they are still trustworthy enough to allow transition. It doesn't mean that eventually, they'll be considered untrustworthy, later. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53176321.50...@httrack.com
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On Tue, 04 Mar 2014 04:46:17 +, Luca Filipozzi writes: I propose 2014-SEP-01. Gives people six months to get this done. Even *I* can get it done in that amount of time. I've already emailed my fellow Vancouver Debian Developers in the hopes of coordinating a revolution^Wkeysigning [1]. lucky you - that schedule won't work for others like me here in AU; there's exactly one other DD just under 100km away, the remaining few on the same continent are all 1000+km distant, and i have zero budget and time for attending conferences or other social gatherings. regards az -- Alexander Zangerl + GPG Key 0xB963BD5F (or 0x42BD645D) + http://snafu.priv.at/ This mind intentionally left blank. signature.asc Description: Digital Signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On Tue, Mar 04, 2014 at 06:27:38PM +1000, Alexander Zangerl wrote: On Tue, 04 Mar 2014 04:46:17 +, Luca Filipozzi writes: I propose 2014-SEP-01. Gives people six months to get this done. Even *I* can get it done in that amount of time. I've already emailed my fellow Vancouver Debian Developers in the hopes of coordinating a revolution^Wkeysigning [1]. lucky you It was intended as a self-deprecating remark. None of my fellow Vancouver Debian Developers have replied! - that schedule won't work for others like me here in AU; there's exactly one other DD just under 100km away, the remaining few on the same continent are all 1000+km distant, and i have zero budget and time for attending conferences or other social gatherings. I appreciate that there are challenging circumstances. That said, I think we've had plenty of time to consider upgrading our keys (I'm at 1024D; I'm part of we) already; I believe a firm date is needed to motivate people like me to Get It Done. The Keyring Maintainers have indicated that they will discuss individual circumstances if approached. -- Luca Filipozzi http://www.crowdrise.com/SupportDebian signature.asc Description: Digital signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
I've actually been in the process of working to transition from my existing to 1024D key I created back in 2002 with my new 4096R key I created in 2011 that I use 3072R subkeys on a OpenPGP v2 smartcard. Unfortunately I haven't been able to get together with any other DDs to perform a key signing to get my new key sufficient enough to make the final transition. I notified everyone who had previously signed my current 1024D key but haven't been able to travel to make any major events and it's so far only signed by those that have attended local LUG keysignings in the past 2 years or individuals that have arranged to get together privately to do a key signing. If any DDs are in, or will be, the Atlanta area and would like to get together for a key signing I would be more than welcome to get together and make the transition as I currently don't even bother to keep my 1024D key with me for use anymore and only carry my smartcard with the 3072R subkeys while my 4096R primary key is still left secured in my fire safe at home on the encrypted USB drive it resides on. Current 1024D policy URL: http://undergrid.net/legal/gpg/policy/20091121 Transition statement: http://undergrid.net/legal/gpg/policy/20111223 New 4096D policy URL: http://undergrid.net/legal/gpg/policy/20111224 On 03.03.2014 14:37, Reuben Thomas wrote: On 3 March 2014 18:13, Gunnar Wolf gw...@gwolf.org [1] wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we dont want to hamper the projects work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. Please could you change https://wiki.debian.org/DebianMaintainer [2] , which currently says a = 2048 bit key is required (I assume this is still correct) but does not specifically recommend 4096? I recently became a DM, and created a 2048 bit key to do so, as that satisfied the advice given on that page, and also happened to be the default length offered by GPG on my system. Only after Id had it signed and uploaded it did I find advice that new keys should be 4096 bits. (Ive already reported this issue in a couple of different places; the page is not user-editable or Idve fixed it myself!) Links: -- [1] mailto:gw...@gwolf.org [2] https://wiki.debian.org/DebianMaintainer -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/a24f8679c031b0b76e8ed5cc0a9f4...@undergrid.net
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On 03/04/2014 09:24 PM, Jeremy T. Bouse wrote: If any DDs are in, or will be, the Atlanta area and would like to get together for a key signing I would be more than welcome to get together Most likely, I will attend the OpenStack summit in Atlanta [1] next May (from 12th to 16th). Even if I'm not there, there will most likely be a lot of DDs that will attend the event (from the top of my head: James Page Robert Collins at least, probably even more). I'll be happy to sign your key if you show up to the event. Even if you're just at the door and don't want to pay the entry fee, that should be fine too, though since it's next to where you are, I would recommend you to attend the whole week: there's a lot to learn there. Cheers, Thomas Goirand (zigo) [1] http://www.openstack.org/summit/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5315e455.6060...@debian.org
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/03/2014 19:13, Gunnar Wolf wrote: If you have a key with not-so-many active DD signatures (with not-so-many ≥ 2) waiting to get it more signed, stop waiting and request the key replacement². Is there a way to check this requirement? I've a 4096R key since 2010 that I made signed by various people. How can I count how many signatures have been done by people in the current Debian Keyring ? Extra bonus if I can count signatures from the Debian keyring AND that will be kept here (ie with key = 4096R) If a gpg expert can give a small script to make these checks, it will be appreciated. Regards, Vincent - -- Vincent Danjean GPG key ID 0x9D025E87 vdanj...@debian.org GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html APT repo: deb http://people.debian.org/~vdanjean/debian unstable main -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIVAwUBUxX8Z9T1zgD6DpudAQjZoBAAjmRRJZvCcxjMXgmjp1XN6Q7Rg+infCel hyU6vO1LXS2WJyk5h2Jxt+6chTLvoBOHDDcJ3RJRbSKFEyx3VnIeR8VuIFkdeLa3 B/8UqvBfO70OE4jVQbHgkViJeSHEK7/5Hy/dbzZlq6x6NSyxk6dO8fs4bsvPMHE/ bbRyr0/VRJNtURLg8OzUOiXEPtxtRGOnLpBZZ/lLT7Ulz6TtpminGsO+reH36oB0 ncq2VcTxSd86YJfBZbuzSz3X1lMHMAZfYArzRUxq2ICREIirKZxbw57hHMBuP77j kb88Lb5QZKWQcZk6jdbXepf4v276VdIUylCZ9N24wIipNpBSMrQ9BlESQNnYbqKY bQFtLEFS0Tq5ScuX6zX9tvogrfZwkSHGPAcpspaA5wQvkvj1hwGuy477Ut1Whe6q 7ioEfWzGyR7rdUcpQ2ChR5tgqhfA462uzUiwXa3OGEvzT+yEN0wqOHtg2F7zoMve rsHUVCslwg1u+0fcwbyEpjt7//TwtVmhYDl3EkyvAu43SS17iV6BmcVBnPEobAFO GqqBuYy6zP20hyfM7/8Uq3oxcnDwR8PClXR3tfQ36HFIjhtgJuDS9WUuuZmk4/bT PgzvRgDAiUKYId9zYF3jusD30tQNT39BXfd+1i7l9I3t0j4fGcZy11tXNIKOkxGy whEknL4Z7lc= =FOsp -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5315fc6b.9030...@free.fr
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
* Vincent Danjean vdanjean...@free.fr [2014-03-04 17:16:43 +0100]: On 03/03/2014 19:13, Gunnar Wolf wrote: If you have a key with not-so-many active DD signatures (with not-so-many ≥ 2) waiting to get it more signed, stop waiting and request the key replacement². Is there a way to check this requirement? I've a 4096R key since 2010 that I made signed by various people. How can I count how many signatures have been done by people in the current Debian Keyring ? Extra bonus if I can count signatures from the Debian keyring AND that will be kept here (ie with key = 4096R) If a gpg expert can give a small script to make these checks, it will be appreciated. You can use keycheck.sh, the script AMs used to use in the NM process. I'm not sure if it's packaged, but it's at http://anonscm.debian.org/viewvc/nm/trunk/nm-templates/keycheck.sh?revision=1251view=markup Cheers, -- Nicolas Dandrimont Never make any mistaeks. (Anonymous, in a mail discussion about to a kernel bug report.) signature.asc Description: Digital signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Jonathan McDowell dijo [Tue, Mar 04, 2014 at 05:38:11AM +]: Surely this is well within keyring-maint purview and a GR is thus unnessecary? Running the plan by debian-project seems a reasonable level of consultation. We didn't need one for removing PGPv3 keys so I don't see why we'd need one for 1024D v4 keys. I was thinking that we might need it just because of the amount of keys. We will end up locking out *many* DDs. I have already suggested a timescale to -project but haven't seen any comments on it other than you should script this and should we relax the requirement for 2 signatures. Right. And that basically gives us green light - But, yes, some will argue it's only involving people actively following said list. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140304171151.gh73...@gwolf.org
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Vincent Danjean dijo [Tue, Mar 04, 2014 at 05:16:43PM +0100]: On 03/03/2014 19:13, Gunnar Wolf wrote: If you have a key with not-so-many active DD signatures (with not-so-many ≥ 2) waiting to get it more signed, stop waiting and request the key replacement². Is there a way to check this requirement? I've a 4096R key since 2010 that I made signed by various people. How can I count how many signatures have been done by people in the current Debian Keyring ? Extra bonus if I can count signatures from the Debian keyring AND that will be kept here (ie with key = 4096R) If a gpg expert can give a small script to make these checks, it will be appreciated. Just adding to the already-replied answer (keycheck.sh): We check against the live keyring. This means, however, that if we have just updated the key for DD X, and you have X's signature with the old key, our scripts won't recognize it. Of course, it also means that if Y signed you with a new key, and we have not yet processed Y's request, his new key will not show up in our working tree :-| ...Which sucks, yes. But then again, we might reject your request as it does not have enough signatures, then you tell us, oh, but it does!. We re-evaluate, and (hopefully!) everybody will be happy. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140304171745.gi73...@gwolf.org
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Le 03/03/2014 19:13, Gunnar Wolf a écrit : If you have a key with not-so-many active DD signatures (with not-so-many ≥ 2) waiting to get it more signed, stop waiting and request the key replacement². I have a rather silly question: would a mail (signed with this key) request to the DDs who already signed the initial key (and checked the identity) to sign the replacement key considered unreasonable ? And would it be considered reasonable if the first key was strong ? This is not something possible as far as I can see, but is there any security rationale behind this ? -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5316137c.1030...@httrack.com
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Xavier Roche dijo [Tue, Mar 04, 2014 at 06:55:08PM +0100]: I have a rather silly question: would a mail (signed with this key) request to the DDs who already signed the initial key (and checked the identity) to sign the replacement key considered unreasonable ? And would it be considered reasonable if the first key was strong ? This is not something possible as far as I can see, but is there any security rationale behind this ? It all depends on the policies of each individual that signed your original, weak key. I personally do not sign keys based on transition statements. Some people will. Anyway, we as keyring maintainers cannot know how far did you go to check the identities. signature.asc Description: Digital signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On Wed, Mar 5, 2014 at 1:55 AM, Xavier Roche wrote: I have a rather silly question: would a mail (signed with this key) request to the DDs who already signed the initial key (and checked the identity) to sign the replacement key considered unreasonable ? Considering that the initial keys are now considered weak, I expect that it would be reasonable for people to not trust a key transition statement where the only available trust anchor is the old weak key. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6Fr3xLJyDynSDY1kV5g-=yRsu_J8Jg_Bpy4PTuq=f4...@mail.gmail.com
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On Wed, 2014-03-05 at 10:47 +0800, Paul Wise wrote: On Wed, Mar 5, 2014 at 1:55 AM, Xavier Roche wrote: I have a rather silly question: would a mail (signed with this key) request to the DDs who already signed the initial key (and checked the identity) to sign the replacement key considered unreasonable ? Considering that the initial keys are now considered weak, I expect that it would be reasonable for people to not trust a key transition statement where the only available trust anchor is the old weak key. That is however no reason not to do it - you're still better off than you were before (equally weak, but with the potential to improve). Cheers, Nick -- Nick Phillips / nick.phill...@otago.ac.nz / 03 479 4195 # These statements are mine, not those of the University of Otago
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On 3 March 2014 18:13, Gunnar Wolf gw...@gwolf.org wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. Please could you change https://wiki.debian.org/DebianMaintainer , which currently says a = 2048 bit key is required (I assume this is still correct) but does not specifically recommend 4096? I recently became a DM, and created a 2048 bit key to do so, as that satisfied the advice given on that page, and also happened to be the default length offered by GPG on my system. Only after I'd had it signed and uploaded it did I find advice that new keys should be 4096 bits. (I've already reported this issue in a couple of different places; the page is not user-editable or I'd've fixed it myself!)
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On Mon, Mar 03, 2014 at 07:37:53PM +, Reuben Thomas wrote: On 3 March 2014 18:13, Gunnar Wolf gw...@gwolf.org wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. Please could you change https://wiki.debian.org/DebianMaintainer , which currently says a = 2048 bit key is required (I assume this is still correct) but does not specifically recommend 4096? I recently became a DM, and created a 2048 bit key to do so, as that satisfied the advice given on that page, and also happened to be the default length offered by GPG on my system. Only after I'd had it signed and uploaded it did I find advice that new keys should be 4096 bits. (I've already reported this issue in a couple of different places; the page is not user-editable or I'd've fixed it myself!) Done. The page is user editable, provided that you're logged in to the wiki. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On 3 March 2014 20:01, Steve Langasek vor...@debian.org wrote: Done. The page is user editable, provided that you're logged in to the wiki. Thanks. I'm sorry, I was confused: I think the real reason I didn't edit the page was because at the time I didn't know whether it or the other material I had read was wrong; I did indeed go round this loop a few months ago with the Debian wiki saying that a page was locked when it really meant I hadn't logged in, and my brain clearly hasn't recovered. -- http://rrt.sc3d.org
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
I salute this effort! :) On 03/04/2014 02:13 AM, Gunnar Wolf wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. What does this mean? Is there a schedule in place? Also, how many 1024D keys are still in the keyring? Cheers, Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53154d5c.2060...@debian.org
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
Thomas Goirand dijo [Tue, Mar 04, 2014 at 11:49:48AM +0800]: I salute this effort! :) Yay! :) On 03/04/2014 02:13 AM, Gunnar Wolf wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. What does this mean? Is there a schedule in place? Also, how many 1024D keys are still in the keyring? Well, following Clint's post¹ (which I mentioned in my post), we were at 611 DSA (1024D) vs. 383 RSA (2048R and higher). With 18 DD keys mentioned in the post (plus two since then, yay! :) ), we should stand at 591 vs. 403 (minus some statistical noise - IIRC only one DM became a DD in this same period). About a schedule: No, we do not currently have it. We should work on getting a plan for this. Now, it is not an easy task to get done, and as we might effectively end up locking out many DDs, I'm thinking (and I have not yet talked this over in the team, but we should discuss it) we should get formal support from the project in the form of a GR or something like that... Of course, that after sketching a real plan with stages and dates. ¹ https://lists.debian.org/debian-project/2014/02/msg00119.html signature.asc Description: Digital signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On Tue, Mar 4, 2014 at 12:28 PM, Gunnar Wolf wrote: About a schedule: No, we do not currently have it. We should work on getting a plan for this. Now, it is not an easy task to get done, and as we might effectively end up locking out many DDs, I'm thinking (and I have not yet talked this over in the team, but we should discuss it) we should get formal support from the project in the form of a GR or something like that... Of course, that after sketching a real plan with stages and dates. Surely this is well within keyring-maint purview and a GR is thus unnessecary? Running the plan by debian-project seems a reasonable level of consultation. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6HfszfcJhRN0v=0f+3d4tq9rhf8gq2srovszpubusu...@mail.gmail.com
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On Mon, Mar 03, 2014 at 10:28:41PM -0600, Gunnar Wolf wrote: Thomas Goirand dijo [Tue, Mar 04, 2014 at 11:49:48AM +0800]: On 03/04/2014 02:13 AM, Gunnar Wolf wrote: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. What does this mean? Is there a schedule in place? Also, how many 1024D keys are still in the keyring? Well, following Clint's post¹ (which I mentioned in my post), we were at 611 DSA (1024D) vs. 383 RSA (2048R and higher). With 18 DD keys mentioned in the post (plus two since then, yay! :) ), we should stand at 591 vs. 403 (minus some statistical noise - IIRC only one DM became a DD in this same period). About a schedule: No, we do not currently have it. We should work on getting a plan for this. I propose 2014-SEP-01. Gives people six months to get this done. Even *I* can get it done in that amount of time. I've already emailed my fellow Vancouver Debian Developers in the hopes of coordinating a revolution^Wkeysigning [1]. Now, it is not an easy task to get done, and as we might effectively end up locking out many DDs, I'm thinking (and I have not yet talked this over in the team, but we should discuss it) we should get formal support from the project in the form of a GR or something like that... Of course, that after sketching a real plan with stages and dates. I don't think a GR is required. Keyring Maintainer is a role within the Project with Delegated Powers. Just Do It® [2], I say. [1] This is _Vancouver_ after all. [2] Nike, don't sue me. -- Luca Filipozzi http://www.crowdrise.com/SupportDebian signature.asc Description: Digital signature
Re: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
On Tue, Mar 04, 2014 at 12:45:05PM +0800, Paul Wise wrote: On Tue, Mar 4, 2014 at 12:28 PM, Gunnar Wolf wrote: About a schedule: No, we do not currently have it. We should work on getting a plan for this. Now, it is not an easy task to get done, and as we might effectively end up locking out many DDs, I'm thinking (and I have not yet talked this over in the team, but we should discuss it) we should get formal support from the project in the form of a GR or something like that... Of course, that after sketching a real plan with stages and dates. Surely this is well within keyring-maint purview and a GR is thus unnessecary? Running the plan by debian-project seems a reasonable level of consultation. We didn't need one for removing PGPv3 keys so I don't see why we'd need one for 1024D v4 keys. I have already suggested a timescale to -project but haven't seen any comments on it other than you should script this and should we relax the requirement for 2 signatures. J. -- Minorities are the foundation of society. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140304053811.gh27...@earth.li