touch-packages team mailing list archive

Thread
Date

[Bug 1461834] Re: 1024-bit signing keys should be deprecated

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1461834@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Jul 2015 22:29:23 -0000
Reply-to: Bug 1461834 <1461834@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

It might be nice if apt could be configured with "minimum accepted
algorithms" or "required algorithms", to allow administrators to require
e.g. sha256 or sha3 or blake2b, or rsa 4096 or ed25519, etc.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1461834

Title:
  1024-bit signing keys should be deprecated

Status in Launchpad itself:
  New
Status in apt package in Ubuntu:
  Confirmed

Bug description:
  1024-bit RSA was deprecated  years ago by NIST[1], Microsoft[2] and
  more recently by others[3].

  1024-bit signing keys are insufficient to guarantee the authenticity
  of software distributed from Launchpad.net including PPAs. There
  should be a mechanism to refuse signing keys below a minimum key
  length based on key type. 1024-bit signing keys should be deprecated
  and removed from Launchpad.net itself ASAP.  Future projects and PPAs
  should be disallowed from using 1024-bit signing keys.

  1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
  2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
  3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions