← Back to team overview

touch-packages team mailing list archive

[Bug 1461834] Re: 1024-bit signing keys should be deprecated

 

Launchpad has used 4096-bit RSA keys for new PPAs since bug #1240681 was
fixed. Allowing PPA owners to replace the old 1024-bit keys is bug
#1331914.

** No longer affects: launchpad

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1461834

Title:
  1024-bit signing keys should be deprecated

Status in apt package in Ubuntu:
  Confirmed

Bug description:
  1024-bit RSA was deprecated  years ago by NIST[1], Microsoft[2] and
  more recently by others[3].

  1024-bit signing keys are insufficient to guarantee the authenticity
  of software distributed from Launchpad.net including PPAs. There
  should be a mechanism to refuse signing keys below a minimum key
  length based on key type. 1024-bit signing keys should be deprecated
  and removed from Launchpad.net itself ASAP.  Future projects and PPAs
  should be disallowed from using 1024-bit signing keys.

  1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
  2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
  3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1461834/+subscriptions