[Bug 1461834] Re: 1024-bit signing keys should be deprecated

[Bob Freeman]

> GPG does not provide a way for APT to validate key lengths when the
signature is verified, so we did all we could do here.

Some pages, like https://launchpad.net/~fnu/+archive/ubuntu/main-fnu/
say "Signing key: 1024R" when you click on "Technical details about this
PPA". So launchpad clearly knows, and at the very least it *must* put a
big warning on such pages, so as not to fool users into compromising the
security of their computers. It's not true to say there's nothing
launchpad can do.

Since the underlying problem is clearly real, why is this launchpad bug
still 'New' and not 'Confirmed' after more than 6 years 2 months?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1461834

Title:
  1024-bit signing keys should be deprecated

Status in Launchpad itself:
  New
Status in apt package in Ubuntu:
  Invalid
Status in gnupg2 package in Ubuntu:
  Confirmed

Bug description:
  1024-bit RSA was deprecated  years ago by NIST[1], Microsoft[2] and
  more recently by others[3].

  1024-bit signing keys are insufficient to guarantee the authenticity
  of software distributed from Launchpad.net including PPAs. There
  should be a mechanism to refuse signing keys below a minimum key
  length based on key type. 1024-bit signing keys should be deprecated
  and removed from Launchpad.net itself ASAP.  Future projects and PPAs
  should be disallowed from using 1024-bit signing keys.

  1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
  2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
  3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions