[Bug 1199184] New: switch Tumbleweed to a 4096bit RSA signing key
https://bugzilla.suse.com/show_bug.cgi?id=1199184 Bug ID: 1199184 Summary: switch Tumbleweed to a 4096bit RSA signing key Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: dimstar@opensuse.org Reporter: meissner@suse.com QA Contact: qa-bugs@suse.de CC: dmueller@suse.com Found By: --- Blocker: --- We currently still use a 2048 bit key for signing. It would be better to switch to a 4096 RSA key. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c1
Fabian Vogt
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c2
--- Comment #2 from Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1199184
Dominique Leuenberger
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c3
--- Comment #3 from Dirk Mueller
Is still considered secure, but other distros use longer keys and e.g. Dirk Mueller already argues on why openSUSE does not switch.
I'm not arguing, I was asking what needs to be done to implement a longer key for ALP. Based on factory first we should try to roll it out in openSUSE first and see the downsides before doing anything on SLE. From a brief look at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pd... it appears that RSA2048 is the acceptable minimum, and other distributions are chosing larger keys. I don't really care which cryptographic method we chose, so elliptic curve is totally fine by me as well. I don't know the implications of that very thorughly though, more expertise is needed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c4
--- Comment #4 from Fabian Vogt
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c5
--- Comment #5 from Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c6
Stefan Seyfried
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c7
--- Comment #7 from Dirk Mueller
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c8
Adrian Schr�ter
https://bugzilla.suse.com/show_bug.cgi?id=1199184
Ludwig Nussel
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c9
Dirk Mueller
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c10
--- Comment #10 from Ludwig Nussel
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c11
Ruediger Oertel
Rudi can you confirm that this is the right key and that we have established backups etc?
yes, 35A2F86E29B700A4 is the key created 20220620 and this is also in the encrypted backup and in the safe. If a reserve key for openSUSE is needed we can of course create that, but maybe it makes sense to wait a few more weeks until we have the needed infrastructure working for ECC based keys (almost there but still fighting with a few performance issues when switching to current gpg versions). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c12
Dirk Mueller
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c13
--- Comment #13 from Dirk Mueller
https://bugzilla.suse.com/show_bug.cgi?id=1199184
Frank Kr�ger
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c14
--- Comment #14 from Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c16
--- Comment #16 from Dirk Mueller
Cross check with Dimstar. - switch only after new years as people are already in xmas vacation
technically the tumbleweed key is already created, backed up and on the keyserver, so it is "just" a config change to activate it. it would be the easiest to do (but after xmas break is also fine) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c17
--- Comment #17 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c18
--- Comment #18 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c19
--- Comment #19 from Dirk Mueller
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c20
--- Comment #20 from Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1199184
Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1199184
https://bugzilla.suse.com/show_bug.cgi?id=1199184#c23
--- Comment #23 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@suse.com