Debian-news is about one simple thing - news about Debian GNU/Linux and the top free distributions based on Debian GNU/Linux.


 

PGP v3 key support to be dropped from Debian keyring

About this time last year there was some concern over the security of
SHA-1 and the beginnings of a move to stronger keys using SHA-2. I wrote a mail to d-d-a[0] indicating that keyring-maint was in favour of moving to strong hashes, and in particular was keen to remove all the legacy v3 keys that were still active.

I have sent numerous mails over the past year to try and chase DDs with
v3 keys to generate a new v4 key that is linked into to our web of
trust. In that time we’ve gone from 200 v3 keys down to 20. While it
would be nice to get this number to 0 before dropping support it seems
unlikely that this will happen; in my mail last September[1] I’d stated
that I hoped the transition would be completed by Christmas, but there
were still people trying to delay beyond that point.

So, on 1st July 2010 keyring-maint will remove all v3 keys from the
active Debian keyring; debian-keyring.pgp will become an empty file (we
will cease to generate it at all once DSA and ftp-master have confirmed
none of their tools are using it any longer).

We will allow a 2 month period after this date where we will accept a
signature from an old v3 key as part of a trust chain to a new v4 key;
it will still require a signature from another DD (and ideally 2). On
1st September 2010 we will no longer trust any v3 keys as part of key
replacement.

All affected DDs have been mailed several times about replacing their
key, but just in case they’ve managed to miss the mails to d-d-a, the
direct mails or my blog post[2] here is the complete list of affected
keys:

0x0D2156BD3D97C149 Michael Stone
0x225FD911CD269B31 Carlos Barros
0x31E73F14E298966D James R. Van Zandt
0x366CD3FEEBC11B01 Chris Waters
0x37A73FE355E8BC4D Frederic Lepied
0x3E973117DCC528E9 Ardo van Rangelrooij
0x5C7A46637953F711 Rich Sahlender
0x5D6560F85F30F005 Craig Brozefsky
0x6B0E322836129171 Jim Westveer
0x723724B4A5B6DD31 Christian Meder
0x8FFC405EFD5A67CD Adam Di Carlo
0xB0D269DE17F3D4D1 Matthew Vernon
0xBC151FC8D2A913A1 Peter S Galbraith 0xC1A0A171C2DCD3B1 Jim Mintha
0xC3168EBA23F5ADDB Ian Jackson
0xCE951B1160D74C7D Patrick Cole
0xE82A8B0D57137FE5 Paul Seelig 0xF20E242CE77AC835 Brian White
0xFBAA570C3087194D Alan Bain
0xFFD1B4AC7C19FD19 David Engel

I suspect some of these developers are MIA (and have been in contact
with the MIA team); only 2 votes in the recent DPL election. 7 have
failed to make any response to my mails. 9 have uploaded packages since
August 2008. And 9 were already known to the MIA database. Some have
stated they will try and sort out a new key, but have not yet managed to
do so.

If you are one of these people, please either get a new key sorted and
signed and reply to the mails I’ve sent you, or reply and say you no
longer wish to be involved in Debian. And if you know any of these
people, encourage them to get a new key sorted and offer to sign it for
them.

J, with his keyring-maint hat on.

[0] http://lists.debian.org/debian-devel-announce/2009/05/msg00005.html
[1] http://lists.debian.org/debian-devel-announce/2009/09/msg00011.html
[2] http://www.earth.li/~noodles/blog/2010/04/out-damnd-pgp-v3.html

— “Just chill. What’s with all the rush? Debian is brewed longer for a stronger, fresher taste. We only release it when it’s ready.” — Robster, posting to debian-devel about Woody.

One Response to “PGP v3 key support to be dropped from Debian keyring” »

  1. Pingback by Tweets that mention PGP v3 key support to be dropped from Debian keyring | Debian-News.net - Your one stop for news about Debian -- Topsy.com — April 30, 2010 @ 6:11 pm

    […] This post was mentioned on Twitter by Debian Project. Debian Project said: (debian-news.net) PGP v3 key support to be dropped from Debian keyring http://tinyurl.com/3x634wg […]

RSS feed for comments on this post. TrackBack URI

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Debian-News is not related to the Debian Project.
All logos and trademarks on this site are property of their respective owners.