Jump to content
Compatible Support Forums
Sign in to follow this  
news

Removing < 2048 bit keys from the Debian keyrings

Recommended Posts

5 years ago we started to get worried about the strength of the OpenPGP

keys. In May 2009 I stated in a mail to d-d-a[0] that as a project we

should be making an orderly move towards stronger keys but not at the

expense of our Web of Trust.

 

In September 2009 I reminded[1] people to ensure they're new keys had a

reasonable number of signatures before requesting replacement.

 

On October 1st 2010 we stopped[2] accepting new keys that were smaller

than 2048 bits to the Debian keyrings.

 

This year, in March[3], we stated that while we were not yet doing a mass

removal we were aggressively deprecating the use of 1024 bit keys.

 

Earlier this week I sent emails directly to the 650+ Debian Developers

and Debian Maintainers who still have keys less than 2048 bits in our

keyrings. This informed them that their key will be removed from the

relevant keyring at the end of the year (31st December 2014).

 

I am pleased to report that we have already seen 40+ requests for

replacement submitted to RT as a result, and expect to see more during

the weeks after DebConf. I would ask that DDs make some effort to help

those with weak keys get their new, stronger keys signed. Please sign

responsibly[4], this is an opportunity for us to improve our web of

trust.

 

J, on behalf of keyring-maint.

 

[0] https://lists.debian.org/debian-devel-announce/2009/05/msg00005.html

[1] https://lists.debian.org/debian-devel-announce/2009/09/msg00011.html

[2] https://lists.debian.org/debian-devel-announce/2010/09/msg00003.html

[3] https://lists.debian.org/debian-devel-announce/2014/03/msg00003.html

[4] http://xkcd.com/364/

 

--

/-\ | We fear change.

| ( -at -) / Debian GNU/Linux Developer |

\- |

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×