httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Felt <mamf...@gmail.com>
Subject Re: please sign new apache releases only with strong keys -- trimming the KEYS file
Date Tue, 31 Dec 2013 17:58:10 GMT
Isn't the "normal" solution path - rather than prune, to revoke keys?


On Fri, Dec 27, 2013 at 4:53 PM, Frederick Miller <fjmiller11@gmail.com>wrote:

> Please remove me from this email list. Please unsubscribe me.  Thanks.
>
>
> On Fri, Dec 27, 2013 at 10:49 AM, Daniel Kahn Gillmor <
> dkg@fifthhorseman.net> wrote:
>
>> On 12/26/2013 06:18 PM, Nick Kew wrote:
>> > You're ahead of us.  Individual Apache folks like Jim have taken
>> > responsibility and moved to 4096-bit keys, but we haven't as a
>> > community had the discussion that might lead to pruning KEYS.
>> > My inclination is to say NO to requiring anyone to remove old keys,
>> > but YES to encouraging strong keys to sign all releases.
>>
>> Thanks for considering this, Nick.
>>
>> At the moment, some of your downstreams have the impression that KEYS
>> indicates all of the keys that apache might use to sign releases.  For
>> example, in  http://bugs.debian.org/732450#22 Arno Töll writes:
>>
>> >> Therefore, I thought a more complete patch would be a keyring which
>> >> includes all signatures of people allowed to sign and release code on
>> >> behalf of the httpd project.
>>
>> Maybe you could update the preamble of KEYS to indicate that only strong
>> keys (and please clearly define "strong" if y'all are making this
>> policy) will be used to sign releases?
>>
>> Nick again:
>> > That may be an issue for some Apache folks.  For myself, my newer
>> > (4096-bit) key has fewer sigs than my old 1024-bit[1], though not
>> > catastrophically so.  What is perhaps more of an issue is that hardly
>> > any of the signatures on the new key are from Apache folks, as I have
>> > (alas) not made it to Apachecon for a couple of years now.  Others may
>> > have a range of reasons for retaining older keys.
>>
>> Your 4096-bit key (0x3CE3BAC2EB7BBC624D1D22D8F3B9D88CB87F79A9) appears
>> to be certified by nearly 60 other keys -- including at least a couple
>> debian developers and Nikos Mavrogiannopolous (the lead GnuTLS
>> developer).  I can't speak for all of debian, but i think a strong key
>> connected by a few paths to other established free software developers
>> is more reliable than a weak key connected by dozens of paths.
>>
>> The keys themselves should not be the weak point in our cryptosystems.
>>
>> > [1] Key IDs 40581837 and B87F79A9
>>
>> (i recommend using full fingerprints instead of keyids if you have to
>> communicate about a specific key:
>>   https://www.debian-administration.org/users/dkg/weblog/105)
>>
>> Regards,
>>
>>         --dkg
>>
>>
>>
>

Mime
View raw message