laying groundwork for an eventual migration away from SHA1 with gpg
wk at gnupg.org
Wed May 6 15:45:09 CEST 2009
just a short remark on the Debian keys:
Using a 4k RSA key for an automated signing keys or for role purposes is
not a good idea at all: It makes the user believe that the archive is
secure at that level; but that is clearly not the case. As usual one
need to look at the weakest link and here we can find a lot of them: A
hijacked developers box (Out of 10000 developers there is for sure at
least one folk not protecting his box with all required due diligence),
a ssh key floating around at several places, the upstream sources, the
protection of all the boxes passed while uploading a package and so on.
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-devel