laying groundwork for an eventual migration away from SHA1 with gpg

Werner Koch wk at
Wed May 6 15:45:09 CEST 2009


just a short remark on the Debian keys:

Using a 4k RSA key for an automated signing keys or for role purposes is
not a good idea at all: It makes the user believe that the archive is
secure at that level; but that is clearly not the case.  As usual one
need to look at the weakest link and here we can find a lot of them: A
hijacked developers box (Out of 10000 developers there is for sure at
least one folk not protecting his box with all required due diligence),
a ssh key floating around at several places, the upstream sources, the
protection of all the boxes passed while uploading a package and so on.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list