[Bug 1461834] Re: 1024-bit signing keys should be deprecated
Julian Andres Klode
jak at jak-linux.org
Sun May 7 19:06:43 UTC 2017
APT currently rejects all non-SHA2 hashes, which excludes 1024 bit DSA
keys (the only 1024 bit keys in use, really). All repositories were told
to update to 2048 or 4096 bit RSA keys.
GPG does not provide a way for APT to validate key lengths when the
signature is verified, so we did all we could do here. Any future change
needs to be made in gpg (reject all DSA/RSA keys less than 2048 bit).
** Changed in: apt (Ubuntu)
Status: Confirmed => Invalid
** Also affects: gnupg2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
1024-bit signing keys should be deprecated
Status in Launchpad itself:
New
Status in apt package in Ubuntu:
Invalid
Status in gnupg2 package in Ubuntu:
New
Bug description:
1024-bit RSA was deprecated years ago by NIST[1], Microsoft[2] and
more recently by others[3].
1024-bit signing keys are insufficient to guarantee the authenticity
of software distributed from Launchpad.net including PPAs. There
should be a mechanism to refuse signing keys below a minimum key
length based on key type. 1024-bit signing keys should be deprecated
and removed from Launchpad.net itself ASAP. Future projects and PPAs
should be disallowed from using 1024-bit signing keys.
1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions
More information about the foundations-bugs
mailing list