Hi apache folks-- In http://bugs.debian.org/732450, debian is preparing to cryptographically verify OpenPGP signatures on apache upstream tarballs.
As part of the dicsussion, it's become clear that some of the keys in https://www.apache.org/dist/httpd/KEYS are weak by any modern consideration of public key cryptography. Could this set of keys be pruned? There are keys in that keyring that are nearly 20 years old, including several 1024-bit RSA and 1024-bit DSA keys (and even one 999-bit RSA key and one 768-bit RSA key!) 1024-bit DSA and RSA keys have been clearly and explicitly deprecated by NIST since the end of 2010 [0]. At least one 768-bit RSA key has actually been factored directly, 4 years ago [1]. I really hope that apache is not still signing source tarballs with those weak keys. And i am hoping that debian wouldn't consider such a signature as legitimate. I note that the latest releases of 2.2.x and 2.4.x are signed by Jim Jagielski's 4096-bit RSA key, over a digest of SHA-512. These are totally reasonable, modern, reliable choices :) Could someone at apache clean up the KEYS file to only include strong keys? I'd recommend removing all DSA and RSA keys < 3072 bits in length, to aim for a minimum expected 128-bit symmetric-key equivalence. Clearly, cryptographic signatures on distributed tarballs are not the only security risk that apache downstreams encounter; but there's no reason that they should be subject to compromise either, since we have stronger algorithms available. Regards, --dkg PS please keep me in the CC if there's more discussion; i've subscribed to http-dev to try to clarify this, but can't cope with yet another e-mail firehose for the long term. :/ [0] pp. 63-66 of http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf [1] https://en.wikipedia.org/wiki/RSA_numbers#RSA-768
pgp4gwCydI_OU.pgp
Description: PGP signature
