www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henri Yandell <bay...@apache.org>
Subject Re: [OpenPGP] Moving Away From DSA and SHA-1
Date Tue, 11 Aug 2009 19:00:05 GMT
Need to update http://www.apache.org/dev/release-signing.html to say
4096 asap I suspect :) Stop new people being lured into this problem.

Hen

On Tue, Aug 11, 2009 at 5:39 AM, Robert Burrell
Donkin<rdonkin@apache.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> with ApacheConUS only three months away, we really need to start
> planning how apache can move away from short keys (DSA and RSA < 2048)
> and weak WOT links (SHA-1)[1]. the consensus on infra was that this is
> the best list for this discussion. if it happens to get too busy then a
> new list can be created.
>
> the first step needs to be updating the documents so that new release
> managers know how to set up and use GnuPG[2] to generate keys unlikely
> to need changing in the next couple of years. i'll start a thread over
> on site dev to cover this.
>
> the first question for discussion is recommended key length. 2048 is the
> minimum safe size for new keys but only just. for keys used to sign
> releases, 4096 is more credible today. 8192 bit keys are possible with
> GnuPG[3] but are fiddly and - in older tools - support may be patchy.
> going for 4096 would mean a second transition before 2015 but the next
> generation (SHA-3 and next generation of OpenPGP) should be available by
> then.
>
> consensus on infra was to go for 4096 but if anyone knows any good
> reasons to go for some other value, please jump in.
>
> - - robert
>
> [1]
> http://www.jroller.com/robertburrelldonkin/entry/release_distribution_renewing_the_web
> [2] http://www.gnupg.org
> [3] http://www.jroller.com/robertburrelldonkin/entry/gnupg_8192bit_rsa_keys
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIcBAEBAgAGBQJKgWaEAAoJEHl6NpRAqILLzzQP/RI/ZpkauHrLMzW48lNRsmUc
> h9a4HJ1WXL6eESSbJK9rawPxrAvG/p3rbH3TTixIkwLPz8BQDuG8kxmTHn8LDlGg
> /YLZbDtgFpF3SElGn1MbzldI48DTgw/JXa4opVHi/gvSAoA72+P7td5D12YiA+6R
> Urr6I8hcDOdHRfDsXPHbu5MLh4S//vVgrdOXahLqwzwJK0GCdsjJ88RGJgPXrWfH
> abfzKY3jGUheLtIJUbQiMI2IKA5VrCK+WMXoWxnqnnxL6JDQUGXfpai5dxoRy22D
> wcv6UN+FIUF8OCBymYRXMcngwczYDkYkUyrVEjOSlnmtC4rHKq/wZGtn3VJGSCEf
> hLoSC+aZ+HLHxK5pA0ZxRs4IFhMtTijV5ng6VA1aOPW0N1ySIUd7fgAO7QpksCcL
> 84LZMAzstH48Ce2Zzrj8oJ5NLYIR531Mh0C7N/JRkUdPLTXDByvXBTJ9uRXoRw6v
> a1IexoewUxXfAcR2Yi0lVtkL9ZBVWMm/caXpSqLHKxFvQND71dWg+7UsfJR057c3
> CP5bwJIp4dANLOeYa6kj07b+Xu2ZutKBAdZWSH/u3lx1Grh3apq1gbGmdoyKyLyj
> d4px2wyB6oWS5C3ZEdAG8oy9QC1LERgnqTt7kMGMNl5j8E1AAMsPTw7laULss1S1
> itF2Nys9bJZA1dfQTx7B
> =w79Q
> -----END PGP SIGNATURE-----
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: community-unsubscribe@apache.org
> For additional commands, e-mail: community-help@apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message