Debian encouraging use of 4096 bit RSA keys

[Perry E. Metzger]

The decision that 1024 bit keys are inadequate for code signing is
likely reasonable. The idea that 2048 bits and not something between
1024 bits and 2048 bits is a reasonable minimum is perhaps arguable.
One wonders what security model indicated 4096 bits is the ideal
length....

Perry

Begin forwarded message:

Date: Tue, 14 Sep 2010 00:18:48 -0500
From: Gunnar Wolf <gwolf at debian.org>
To: debian-devel-announce at lists.debian.org
Subject: Bits from keyring-maint


Hi,

So, even small teams more closely related to bureaucracy and
bookkeeping such as ours also deserve to send out some "bits from..."
mails from time to time. And being past midnight, I hope I can keep
this concise and short. For people that were present at my lightning
talk at DebConf, expect no new material in this mail... We just needed
to send it out.

1. PGP (v3) keys are gone!
   -----------------------

The first point is that, with a lot of patience and chasing, and after
over a year of having stated the intention, we can finally say that
older, vulnerable v3 keys are gone from the Debian Developer keyring,
yay! Thanks in no small measure to Jonathan's endless bugging and
chasing, all keys in Debian today are v4 1024D or higher, and that is
a Very Good Thing. And yes, it leads us to the next point...

2. We want stronger keys
   ---------------------

1024D (SHA1) keys are OK-ish for now. No attacks are known on them,
and they are not compromising the archive in any way (if they were, of
course, we would immediately disable them and _then_ look for
solutions, while surely becoming overnight the most hated team in
Debian). Still, to be on the safe side (and to avoid the long and
painful declining curve we had with v3 keys), we are now clearly
pushing Debian towards adopting stronger RSA keys - We have accepted
some 2048R keys, but if you don't have a real reason to keep your key
at that size (i.e. you very often build on underpowered machines where
a 4096R key takes forever, or something like that), we really prefer
to go with 4096R keys.

To create your 4096R key, you are advised to follow Ana Guerrero's
excellent tutorial [1].

The policies for a key upgrade go as follows (and are explained at
greater length at [2]): 

- Your new key should be signed by your old key

- Your new key should be signed by two or more other Debian Developers

- Mail the key replacement request to keyring at rt.debian.org,
  mentioning 'Debian RT' somewhere in the mail subject

- The request should be _inline_ signed by your old key. If you send a
  MIME-encoded signed message, RT will mangle it and it won't
  validate. Please, inline-sign the message.

- Although we clearly want to transition to a stronger keyring, that
  does not mean we want to loosen the Web of Trust. That means that if
  you have a gazillion signatures in your 1024D key, you should not
  rush to update it with a barely-signed 4096R one. Get it signed by
  as many people as possible. If you are already socially active in
  Debian, that should pose no problem. Otherwise... Well, if you are
  isolated and far from anybody else, we might do it. But remember,
  there is no _pressing_ need to do so.

3. We demand stronger keys!
   ------------------------

But then again, we are not allowing any new 1024D keys
anymore. Anybody who is currently a DD or DM, or that has started his
application towards becoming one, will be allowed with whatever key
they currently have - But effective October 1st, no applications for
DM or DD should be processed with anything less than a 2048R
SHA2-capable key. 

Ok, so, I'm looking forward to process your key update requests!

On behalf of keyring-maint,

   -Gunnar

--

[1] http://keyring.debian.org/creating-key.html

[2] http://keyring.debian.org/replacing_keys.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com