On Sat, Oct 5, 2013 at 1:41 PM, Gunnar Wolf wrote:
> In addition to Paul's numbers, we have also the DM keyring, which is > in a much better shape quite probably because it's much newer. Good news. > - Give a suitable time window for the key migration and disable old > keys. Jonathan gave a first suggestion of 6 months. Sounds good. > - Actually reach out to people and make explicit that 1024D is *no > longer enough*. We guess that some of them never paid too much > attention to the issue, and those are the most likely to be "Debian > outliers", not people inside the core group who meet year-to-year > with the community and play the "get more signatures" game. Yes please, via (at least mail to all of the non-revoked UIDs on all these keys. Some of the people with 1024-bit keys are very active (some in core teams) though so perhaps that should be restricted. > - An idea to help said outliers is to use the data in LDAP to tell > them who lives closest to them so they can get signatures more > quickly. Of course, this has the disadvantage on relying on our > (known-bogus and known-incomplete) LDAP geolocation data. The city information in LDAP might be better, perhaps alongside these: https://wiki.debian.org/LocalGroups https://wiki.debian.org/Keysigning/Offers https://wiki.debian.org/BSP https://wiki.debian.org/DebianEvents > - If we were to retire all 1024D keys today, we would lock out > approx. two thirds of Debian. That's clearly unacceptable. I don't > think it's feasible to attempt it until we are closer to the one > third mark — And I'm still not very comfortable with it. But OTOH, > it can help us pinpoint those keys that are not regularly used Agreed. > - People who have done MIA-tracking, do our tools report when was > the last activity we saw in connection with a given key? I'd guess > they do... They do: $ ssh qa.debian.org /srv/qa.debian.org/mia/mia-query pabs | grep -i pgp activity-pgp:[Thu, 03 Oct 2013 13:51:38] "610B 28B5 5CFC FE45 EA1B 563B 3116 BA5E 9FFA 69A3" "<[email protected]> archive/latest/1010533" "<1380807999.31767.36.camel@chianamo>" > - Yes, Ansgar points out that it's still probably easier to steal a > GPG key than to break it. Not all of us follow the safest computing > techniques, do we? Indeed, for example probably the majority of us use a web browser on the same machine as our OpenPGP keys. > (yes, sure, but what does well-connected mean‽) Strong set? -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CAKTje6F-u-F15PsZ83-aHe6JjHA==auawsgo1bmgqmsogh8...@mail.gmail.com
