0000444: OpenPGP certificate for the release repository is too weak. - Bareos Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0000444	bareos-core	installer / packages	public	2015-03-24 03:29	2019-12-18 15:25

Reporter	aef	Assigned To	maik
Priority	normal	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Platform	x86_64	OS	Debian GNU/Linux	OS Version	7 "Wheezy"

Summary	0000444: OpenPGP certificate for the release repository is too weak.
Description	The OpenPGP certificate used for signatures on the release repository for Debian systems features an RSA keypair of insufficient length (1024 bit). I recommend replacing the current certificate with an RSA keypair of at least 3072 bit length. The Debian operating system uses 4096 bit RSA keypairs to secure its own repositories at least since the release of Debian 7 "Wheezy" in 2013.
Additional Information	In the introduction of their report on "Factorization of a 768-Bit RSA Modulus" in 2010, Thorsten Kleinjung et al. stated the following: "The Because the factorization of a 512-bit RSA modulus was first reported in 1999, it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by a similar academic effort. Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years." (so between 2013 and 2014, Source: https://eprint.iacr.org/2010/006.pdf ) The "Algorithms, Key Sizes and Parameters Report" by the European Union Agency for Network and Information Security (ENISA), released in November 2014, recommends RSA key sizes of 3072 bit length for short term usage (until about 2023). ( Source: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-size-and-parameters-report-2014 ) The German "Bundesnetzagentur" in their "Algorithmenkatalog" of 2013 recommends RSA keys of at least 2048 bit length to be secure until 2019. ( Source: https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/QES/Veroeffentlichungen/Algorithmen/2013Algorithmenkatalog.pdf?__blob=publicationFile&v=1 ) The German "Bundesamt für Sicherheit in der Informationstechnik" (BSI) in 2015 states a current minimum RSA key length of 2000 bits. Also it is stated, that starting in 2017 it is planned to recommend the removal of all RSA key sizes lower than 3000 bit. (Source: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102_pdf.pdf?__blob=publicationFile )
Tags	No tags attached.

aef 2015-03-24 03:33 reporter ~0001334	Here the certificate data: pub 1024D/0x7A855ABDE0F8EFD4 2013-02-10 [expires: 2017-02-26] Key fingerprint = 2FC0 4F7E 3421 E21B 70F3 231F 7A85 5ABD E0F8 EFD4 uid bareos OBS Project <bareos@obs.bareos.org>

joergs 2015-04-07 18:41 developer ~0001680	Maik, while changing the signing key now might cause trouble, we should at least create a more secure signing key for the bareos-15.2 release.

joergs 2015-08-31 12:43 developer ~0001816	bareos-15.2 will be signed with: pub 4096R/093BFBA2 2015-08-24 [expires: 2021-02-13] Key fingerprint = 0143 857D 9CE8 C2D1 82FE 2631 F93C 028C 093B FBA2 uid Bareos Packaging Signing Key <signing@bareos.com> Key information are available at http://www.bareos.org/en/download.html and the key is uploaded to various key servers: https://sks-keyservers.net/pks/lookup?op=vindex&search=signing@bareos.com

Date Modified	Username	Field	Change
2015-03-24 03:29	aef	New Issue
2015-03-24 03:33	aef	Note Added: 0001334
2015-03-25 16:42	joergs	Status	new => acknowledged
2015-04-07 18:40	joergs	Assigned To	=> maik
2015-04-07 18:40	joergs	Status	acknowledged => assigned
2015-04-07 18:41	joergs	Note Added: 0001680
2015-08-10 14:36	maik	Relationship added	child of 0000501
2015-08-31 12:43	joergs	Note Added: 0001816
2015-09-01 11:10	joergs	Status	assigned => resolved
2015-09-01 11:10	joergs	Resolution	open => fixed
2019-12-18 15:25	arogge	Status	resolved => closed