www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [OpenPGP] Moving Away From DSA and SHA-1
Date Tue, 11 Aug 2009 14:38:57 GMT
On 11/08/2009, Robert Burrell Donkin <rdonkin@apache.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  with ApacheConUS only three months away, we really need to start
>  planning how apache can move away from short keys (DSA and RSA < 2048)
>  and weak WOT links (SHA-1)[1]. the consensus on infra was that this is
>  the best list for this discussion. if it happens to get too busy then a
>  new list can be created.
>
>  the first step needs to be updating the documents so that new release
>  managers know how to set up and use GnuPG[2] to generate keys unlikely
>  to need changing in the next couple of years. i'll start a thread over
>  on site dev to cover this.
>
>  the first question for discussion is recommended key length. 2048 is the
>  minimum safe size for new keys but only just. for keys used to sign
>  releases, 4096 is more credible today. 8192 bit keys are possible with
>  GnuPG[3] but are fiddly and - in older tools - support may be patchy.
>  going for 4096 would mean a second transition before 2015 but the next
>  generation (SHA-3 and next generation of OpenPGP) should be available by
>  then.

Perhaps the new keys should have an expiration date of 2015 (or earlier)?

>  consensus on infra was to go for 4096 but if anyone knows any good
>  reasons to go for some other value, please jump in.
>
>  - - robert
>
>  [1]
>  http://www.jroller.com/robertburrelldonkin/entry/release_distribution_renewing_the_web
>  [2] http://www.gnupg.org
>  [3] http://www.jroller.com/robertburrelldonkin/entry/gnupg_8192bit_rsa_keys
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v2.0.11 (GNU/Linux)
>  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>  iQIcBAEBAgAGBQJKgWaEAAoJEHl6NpRAqILLzzQP/RI/ZpkauHrLMzW48lNRsmUc
>  h9a4HJ1WXL6eESSbJK9rawPxrAvG/p3rbH3TTixIkwLPz8BQDuG8kxmTHn8LDlGg
>  /YLZbDtgFpF3SElGn1MbzldI48DTgw/JXa4opVHi/gvSAoA72+P7td5D12YiA+6R
>  Urr6I8hcDOdHRfDsXPHbu5MLh4S//vVgrdOXahLqwzwJK0GCdsjJ88RGJgPXrWfH
>  abfzKY3jGUheLtIJUbQiMI2IKA5VrCK+WMXoWxnqnnxL6JDQUGXfpai5dxoRy22D
>  wcv6UN+FIUF8OCBymYRXMcngwczYDkYkUyrVEjOSlnmtC4rHKq/wZGtn3VJGSCEf
>  hLoSC+aZ+HLHxK5pA0ZxRs4IFhMtTijV5ng6VA1aOPW0N1ySIUd7fgAO7QpksCcL
>  84LZMAzstH48Ce2Zzrj8oJ5NLYIR531Mh0C7N/JRkUdPLTXDByvXBTJ9uRXoRw6v
>  a1IexoewUxXfAcR2Yi0lVtkL9ZBVWMm/caXpSqLHKxFvQND71dWg+7UsfJR057c3
>  CP5bwJIp4dANLOeYa6kj07b+Xu2ZutKBAdZWSH/u3lx1Grh3apq1gbGmdoyKyLyj
>  d4px2wyB6oWS5C3ZEdAG8oy9QC1LERgnqTt7kMGMNl5j8E1AAMsPTw7laULss1S1
>  itF2Nys9bJZA1dfQTx7B
>  =w79Q
>  -----END PGP SIGNATURE-----
>
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: community-unsubscribe@apache.org
>  For additional commands, e-mail: community-help@apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message