On Thu, Nov 27, 2014 at 09:01:20AM +0000, Mark Shuttleworth wrote: > On 27/11/14 00:05, Kees Cook wrote: > > > > I think we should have the same policy for PPAs, and it should follow the > > same timeline. Additionally, we should have LP reject uploading weak keys, > > which could happens early in the transition timeline. > > > > (Seems like we should ditch DSA keys entirely, and all RSA less than 2048.) > > > > Are any of the ECC algorithms widely trusted yet? Seem nice and > efficient with SSH at least. > > Mark
I agree that ECC is pretty nice and that's my default for SSH nowadays, unfortunately ECC support in GPG was only added in version 2.1 which was released less than a month ago. ECDSA SSH keys support in Launchpad is a whole different topic. We've had support for ECDSA keys in sshd since at least 12.04 so I think it can be considered widely available. The problem however is that Launchpad uses twisted's implementation of SSH which currently only supports RSA and DSA. For GPG ECC key, I think we should definitely keep an eye on it and when GPG 2.1 lands in the distro, make sure that the various tools work properly with them. Then once our infrastructure is on a LTS version with GPG 2.1 support (likely 16.04) we should definitely start allowing those in Launchpad and probably update our documentation to recommend them. As for the original post, I agree that we should be rejecting DSA GPG keys entirely and any RSA key which is < 2048bit. The TB only really has control over Ubuntu so I don't think that call is up to us, but I'd certainly be happy to see Launchpad enforce the same thing for PPAs. For the timeline, as was said before, we can do all this pretty quickly, the Launchpad code changes being our bottleneck here. I think we should absolutely have this done before the 15.04 release and hopefully quite a bit before that. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
-- technical-board mailing list technical-board@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/technical-board
