You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Ben Reser <be...@reser.org> on 2012/10/06 00:10:41 UTC
PGP Keys
Given that we're coming up on a couple of opportunities for various
developers to get together an potentially sign keys I thought I'd
bring this subject up.
1) SHA-1 based keys should be migrated off of. The US Government's
requirement of agencies was to stop using SHA-1 by the end of 2010.
We're nearly 2 years past that date and there are actually several
people still signing releases with such keys. In particular if you're
still using a 1024 DSA key that means you. You can check by looking
at your looking at how GPG represents your key, if it says 1024D then
you need to replace that key. Details on a sane way of migrating keys
can details about the situation can be found on this blog:
http://www.debian-administration.org/users/dkg/weblog/48
If you have any questions about this I'll do my best to answer them.
2) There is going to be 2 opportunities in the coming months when
several of us are together that it may be useful to carry out a key
signing party.
a) Greenwich, Connecticut USA October 13th - 15th at the
mini-hackathon before SVN Live.
b) Sinsheim, Germany November 5th - 8th at ApacheCon EU 2012.
I plan on organizing key signing at both events if there is sufficient
people interested and there will be keys that need signing. Given the
issue the SHA-1 issue described above and the key signing party
options. Now might be a excellent time to generate a new key,
especially if you're planning on attending one of those events.
If you're interested in participating in something like that at one of
those locations, please reply and indicate which location(s) you'll be
available to attend and the dates you'll be available (since some
people may not be available the whole time). Based on this
information I'll try to coordinate something that hits the maximum
number of people and generates the biggest web of trust.
This is not just an opportunity for developers to sign each others
keys but also an opportunity for some of our users to sign our keys
and potentially enhance their trust of our signatures. So feel free
to pass this information along to anyone that's interested.
I'd like to plan the details for the Greenwich, Connecticut
opportunity no later than Tuesday October 8th, so please reply ASAP if
you're interested in that. I'll post more details once I've figured
them out.
Re: PGP Keys
Posted by Ben Reser <be...@reser.org>.
On Wed, Oct 10, 2012 at 8:27 PM, Julian Foad <ju...@btopenworld.com> wrote:
> Ben Reser wrote:
>
>> Those interested in taking part you'll want to bring with you your
>> keyid/fingerprint/uid information.
>
> Here are my keys. The new (4096R) key has just been generated, signed by the old key and uploaded to key servers subkeys.pgp.net and keys.gnupg.net. I'm working through the blog entry you mentioned; let me know if anything seems not quite right.
>
> pub 1024D/353E25BC 2008-04-21
> Key fingerprint = 6604 5A4B 43BC F994 7777 5728 351F 33E4 353E 25BC
> uid Julian Foad <ju...@btopenworld.com>
> sub 2048g/AC1665DA 2008-04-21
>
> pub 4096R/4EECC493 2012-10-11
> Key fingerprint = 6011 63CF 9D49 9FD7 18CF 582D 1FB0 64B8 4EEC C493
> uid Julian Foad <ju...@btopenworld.com>
> uid Julian Foad <ju...@gmail.com>
> uid Julian Foad <ju...@wandisco.com>
> sub 4096R/9D5140CB 2012-10-11
Only suggestion I would make would be to include your apache.org email
address as a UID.
Re: PGP Keys
Posted by Julian Foad <ju...@btopenworld.com>.
Ben Reser wrote:
> Those interested in taking part you'll want to bring with you your
> keyid/fingerprint/uid information.
Here are my keys. The new (4096R) key has just been generated, signed by the old key and uploaded to key servers subkeys.pgp.net and keys.gnupg.net. I'm working through the blog entry you mentioned; let me know if anything seems not quite right.
pub 1024D/353E25BC 2008-04-21
Key fingerprint = 6604 5A4B 43BC F994 7777 5728 351F 33E4 353E 25BC
uid Julian Foad <ju...@btopenworld.com>
sub 2048g/AC1665DA 2008-04-21
pub 4096R/4EECC493 2012-10-11
Key fingerprint = 6011 63CF 9D49 9FD7 18CF 582D 1FB0 64B8 4EEC C493
uid Julian Foad <ju...@btopenworld.com>
uid Julian Foad <ju...@gmail.com>
uid Julian Foad <ju...@wandisco.com>
sub 4096R/9D5140CB 2012-10-11
- Julian
Re: PGP Keys
Posted by Ben Reser <be...@reser.org>.
Those interested in taking part you'll want to bring with you your
keyid/fingerprint/uid information.
E.G.
$ gpg --fingerprint 16A0DE01
pub 4096R/16A0DE01 2011-01-28
Key fingerprint = 19BB CAEF 7B19 B280 A0E2 175E 62D4 8FAD 16A0 DE01
uid Ben Reser <be...@reser.org>
uid Ben Reser <br...@apache.org>
uid Ben Reser <be...@wandisco.com>
sub 4096R/5EF5CC13 2011-01-28
Please be sure to include all the UIDs that you also want signed for that key.
If it isn't already obvious to everyone, we probably will not be
actually signing but rather confirming identity and you confirming in
person that a given keyid/fingerprint combo is yours. Everyone will
then sign later.
We'll be doing this somewhat adhoc, since I didn't really have time to
get this fully organized. If possible bring several printed copies of
the above information that we can hand out to everyone that would be
ideal. I realize some people may not have time to do this in advance
or access to a printer since some people may already be traveling. If
you're in this boat please respond here ASAP and I'll see what I can
do to help you.
The basic pattern will be that we will take turns being the signer and
the person asking for a signature. The requestor will provide a copy
of their keyid/fingerprint and the signer will check ID and confirm
identity.
What ID you want to provide is up to you and what ID people want to
accept is up to them.
Nobody is compelled to sign a key or UID they do not feel comfortable signing.
On Fri, Oct 5, 2012 at 3:10 PM, Ben Reser <be...@reser.org> wrote:
> Given that we're coming up on a couple of opportunities for various
> developers to get together an potentially sign keys I thought I'd
> bring this subject up.
>
> 1) SHA-1 based keys should be migrated off of. The US Government's
> requirement of agencies was to stop using SHA-1 by the end of 2010.
> We're nearly 2 years past that date and there are actually several
> people still signing releases with such keys. In particular if you're
> still using a 1024 DSA key that means you. You can check by looking
> at your looking at how GPG represents your key, if it says 1024D then
> you need to replace that key. Details on a sane way of migrating keys
> can details about the situation can be found on this blog:
> http://www.debian-administration.org/users/dkg/weblog/48
>
> If you have any questions about this I'll do my best to answer them.
>
> 2) There is going to be 2 opportunities in the coming months when
> several of us are together that it may be useful to carry out a key
> signing party.
>
> a) Greenwich, Connecticut USA October 13th - 15th at the
> mini-hackathon before SVN Live.
> b) Sinsheim, Germany November 5th - 8th at ApacheCon EU 2012.
>
> I plan on organizing key signing at both events if there is sufficient
> people interested and there will be keys that need signing. Given the
> issue the SHA-1 issue described above and the key signing party
> options. Now might be a excellent time to generate a new key,
> especially if you're planning on attending one of those events.
>
> If you're interested in participating in something like that at one of
> those locations, please reply and indicate which location(s) you'll be
> available to attend and the dates you'll be available (since some
> people may not be available the whole time). Based on this
> information I'll try to coordinate something that hits the maximum
> number of people and generates the biggest web of trust.
>
> This is not just an opportunity for developers to sign each others
> keys but also an opportunity for some of our users to sign our keys
> and potentially enhance their trust of our signatures. So feel free
> to pass this information along to anyone that's interested.
>
> I'd like to plan the details for the Greenwich, Connecticut
> opportunity no later than Tuesday October 8th, so please reply ASAP if
> you're interested in that. I'll post more details once I've figured
> them out.
Re: PGP Keys
Posted by Ben Reser <be...@reser.org>.
On Mon, Oct 8, 2012 at 5:47 PM, Branko Čibej <br...@wandisco.com> wrote:
> P.S.: I wonder if I should "upgrade" my 2kbit/SHA512 RSA key to 4kbit?
I don't think there's any particular need to do that at this point. I
used a 4096 key size because I figured it might give me a little more
life out of this key.
Re: PGP Keys
Posted by Branko Čibej <br...@wandisco.com>.
On 06.10.2012 00:10, Ben Reser wrote:
> I plan on organizing key signing at both events if there is sufficient
> people interested and there will be keys that need signing. Given the
> issue the SHA-1 issue described above and the key signing party
> options. Now might be a excellent time to generate a new key,
> especially if you're planning on attending one of those events.
Thanks for remembering this, and for volunteering to drive the keysigning.
-- Brane
P.S.: I wonder if I should "upgrade" my 2kbit/SHA512 RSA key to 4kbit?
-- Brane
--
Certified & Supported Apache Subversion Downloads:
http://www.wandisco.com/subversion/download
Re: PGP Keys
Posted by Ben Reser <be...@reser.org>.
On Mon, Oct 29, 2012 at 1:41 PM, Ben Reser <be...@reser.org> wrote:
> This is coming up next week. FYI there is already a key signing event
> scheduled as part of ApacheCon per the email they sent out earlier:
>
> [[[
> - Welcome Reception (Tuesday 6 November at 18:30)
> - PGP Keysigning (Tuesday 6 November at the Welcome Reception)
> ]]]
>
> If anyone wants to sign keys that can't make that let me know and we
> can get together and do it. Otherwise, I'll abuse the already planned
> key signing that the conference organizers have setup.
More details on the key signing event at ApacheCon:
PGP Key Signing - There will be a key signing on the Tuesday after the
welcome reception, open to all but strongly recommended to anyone
who's a release manager / might be one in future. Please see
http://wiki.apache.org/apachecon/PgpKeySigning for details + signup.
Be sure to go to that wiki page and follow the directions if you're
going to be participating.
Re: PGP Keys
Posted by Ben Reser <be...@reser.org>.
On Fri, Oct 5, 2012 at 3:10 PM, Ben Reser <be...@reser.org> wrote:
> b) Sinsheim, Germany November 5th - 8th at ApacheCon EU 2012.
>
> I plan on organizing key signing at both events if there is sufficient
> people interested and there will be keys that need signing. Given the
> issue the SHA-1 issue described above and the key signing party
> options. Now might be a excellent time to generate a new key,
> especially if you're planning on attending one of those events.
>
> If you're interested in participating in something like that at one of
> those locations, please reply and indicate which location(s) you'll be
> available to attend and the dates you'll be available (since some
> people may not be available the whole time). Based on this
> information I'll try to coordinate something that hits the maximum
> number of people and generates the biggest web of trust.
>
> This is not just an opportunity for developers to sign each others
> keys but also an opportunity for some of our users to sign our keys
> and potentially enhance their trust of our signatures. So feel free
> to pass this information along to anyone that's interested.
This is coming up next week. FYI there is already a key signing event
scheduled as part of ApacheCon per the email they sent out earlier:
[[[
- Welcome Reception (Tuesday 6 November at 18:30)
- PGP Keysigning (Tuesday 6 November at the Welcome Reception)
]]]
If anyone wants to sign keys that can't make that let me know and we
can get together and do it. Otherwise, I'll abuse the already planned
key signing that the conference organizers have setup.
Re: PGP Keys
Posted by Julian Foad <ju...@btopenworld.com>.
Hyrum K Wright wrote:
> Ben Reser wrote:
>> I'd like to plan the details for the Greenwich, Connecticut
>> opportunity no later than Tuesday October 8th, so please reply ASAP if
>> you're interested in that. I'll post more details once I've
>> figured them out.
>
> I am interested in participating in the keysigning in Greenwich.
Me too.
- Julian
Re: PGP Keys
Posted by Ben Reser <be...@reser.org>.
On Mon, Oct 8, 2012 at 5:12 PM, Hyrum K Wright <hy...@hyrumwright.org> wrote:
> I am interested in participating in the keysigning in Greenwich.
> Though I will note that October 8th is a Monday this year, not a
> Tuesday. :)
I meant tomorrow Tuesday October 9th. Sorry for the typo and confusion.
Re: PGP Keys
Posted by Hyrum K Wright <hy...@hyrumwright.org>.
On Fri, Oct 5, 2012 at 6:10 PM, Ben Reser <be...@reser.org> wrote:
> Given that we're coming up on a couple of opportunities for various
> developers to get together an potentially sign keys I thought I'd
> bring this subject up.
>
> 1) SHA-1 based keys should be migrated off of. The US Government's
> requirement of agencies was to stop using SHA-1 by the end of 2010.
> We're nearly 2 years past that date and there are actually several
> people still signing releases with such keys. In particular if you're
> still using a 1024 DSA key that means you. You can check by looking
> at your looking at how GPG represents your key, if it says 1024D then
> you need to replace that key. Details on a sane way of migrating keys
> can details about the situation can be found on this blog:
> http://www.debian-administration.org/users/dkg/weblog/48
>
> If you have any questions about this I'll do my best to answer them.
>
> 2) There is going to be 2 opportunities in the coming months when
> several of us are together that it may be useful to carry out a key
> signing party.
>
> a) Greenwich, Connecticut USA October 13th - 15th at the
> mini-hackathon before SVN Live.
> b) Sinsheim, Germany November 5th - 8th at ApacheCon EU 2012.
>
> I plan on organizing key signing at both events if there is sufficient
> people interested and there will be keys that need signing. Given the
> issue the SHA-1 issue described above and the key signing party
> options. Now might be a excellent time to generate a new key,
> especially if you're planning on attending one of those events.
>
> If you're interested in participating in something like that at one of
> those locations, please reply and indicate which location(s) you'll be
> available to attend and the dates you'll be available (since some
> people may not be available the whole time). Based on this
> information I'll try to coordinate something that hits the maximum
> number of people and generates the biggest web of trust.
>
> This is not just an opportunity for developers to sign each others
> keys but also an opportunity for some of our users to sign our keys
> and potentially enhance their trust of our signatures. So feel free
> to pass this information along to anyone that's interested.
>
> I'd like to plan the details for the Greenwich, Connecticut
> opportunity no later than Tuesday October 8th, so please reply ASAP if
> you're interested in that. I'll post more details once I've figured
> them out.
I am interested in participating in the keysigning in Greenwich.
Though I will note that October 8th is a Monday this year, not a
Tuesday. :)
-Hyrum
Re: PGP Keys
Posted by Ben Reser <be...@reser.org>.
On Fri, Oct 5, 2012 at 5:10 PM, Ben Reser <be...@reser.org> wrote:
> Given that we're coming up on a couple of opportunities for various
> developers to get together an potentially sign keys I thought I'd
> bring this subject up.
>
> 1) SHA-1 based keys should be migrated off of. The US Government's
> requirement of agencies was to stop using SHA-1 by the end of 2010.
> We're nearly 2 years past that date and there are actually several
> people still signing releases with such keys. In particular if you're
> still using a 1024 DSA key that means you. You can check by looking
> at your looking at how GPG represents your key, if it says 1024D then
> you need to replace that key. Details on a sane way of migrating keys
> can details about the situation can be found on this blog:
> http://www.debian-administration.org/users/dkg/weblog/48
>
> If you have any questions about this I'll do my best to answer them.
>
> 2) There is going to be 2 opportunities in the coming months when
> several of us are together that it may be useful to carry out a key
> signing party.
>
> a) Greenwich, Connecticut USA October 13th - 15th at the
> mini-hackathon before SVN Live.
> b) Sinsheim, Germany November 5th - 8th at ApacheCon EU 2012.
>
> I plan on organizing key signing at both events if there is sufficient
> people interested and there will be keys that need signing. Given the
> issue the SHA-1 issue described above and the key signing party
> options. Now might be a excellent time to generate a new key,
> especially if you're planning on attending one of those events.
>
> If you're interested in participating in something like that at one of
> those locations, please reply and indicate which location(s) you'll be
> available to attend and the dates you'll be available (since some
> people may not be available the whole time). Based on this
> information I'll try to coordinate something that hits the maximum
> number of people and generates the biggest web of trust.
>
> This is not just an opportunity for developers to sign each others
> keys but also an opportunity for some of our users to sign our keys
> and potentially enhance their trust of our signatures. So feel free
> to pass this information along to anyone that's interested.
>
> I'd like to plan the details for the Greenwich, Connecticut
> opportunity no later than Tuesday October 8th, so please reply ASAP if
> you're interested in that. I'll post more details once I've figured
> them out.
I neglected to do this in Greenwich. Everyone that's said anything
about doing this is also here in London plus quite a few other people.
So I'll try to put something together during the first session today
which is about Hook Scripts and I doubt is very interesting to any of
us.