[Bug 1461834] Re: 1024-bit signing keys should be deprecated

Martin 1461834 at bugs.launchpad.net
Tue Jun 28 10:05:29 UTC 2022 

Why is this still a thing, nearly a decade after NIST disallowed the
usage? [1]

Why is it not possible for users to regenerate their signing keys? [2]

What if someone believes their key is compromised? Do they have to burn
their work and create an entirely new page and direct their users there?

What if someone created a key with RSA 1024 and would like to migrate it
to a secure variant? Looks like they can't. [2]

And it shows, because even very popular PPAs like ondrej/php are using
RSA1024 keys from 2009, and it does not look to be their fault. [3]

[1] https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/announcements/2013-announcements
[2] https://bugs.launchpad.net/launchpad/+bug/1331914
[3] https://github.com/oerdnj/deb.sury.org/issues/1429#issuecomment-656190271

** Bug watch added: github.com/oerdnj/deb.sury.org/issues #1429
   https://github.com/oerdnj/deb.sury.org/issues/1429

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1461834

Title:
  1024-bit signing keys should be deprecated

Status in Launchpad itself:
  New
Status in apt package in Ubuntu:
  Invalid
Status in gnupg2 package in Ubuntu:
  Confirmed

Bug description:
  1024-bit RSA was deprecated  years ago by NIST[1], Microsoft[2] and
  more recently by others[3].

  1024-bit signing keys are insufficient to guarantee the authenticity
  of software distributed from Launchpad.net including PPAs. There
  should be a mechanism to refuse signing keys below a minimum key
  length based on key type. 1024-bit signing keys should be deprecated
  and removed from Launchpad.net itself ASAP.  Future projects and PPAs
  should be disallowed from using 1024-bit signing keys.

  1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
  2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
  3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions

More information about the foundations-bugs mailing list