www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <rdon...@apache.org>
Subject Re: [OpenPGP] Moving Away From DSA and SHA-1
Date Tue, 11 Aug 2009 15:24:50 GMT
Hash: SHA1

Rich Bowen wrote:
> On Aug 11, 2009, at 10:13, Tony Stevenson wrote:
>> You cannot retrospectively 'upgrade' your key, AIUI, at least.
>> So you will sadly lose all your signatures as you will need a new
>> key.  

it should be possible to use a script to transfer them

>> Thankfully I created mine with a 4096 key length so I'm ok, but
>> I get impression many folks wont be.
>> Get your key created now, and at Apachecon we will have to have a
>> large key signing party.   :)

yes :-)

but we can probably do a little better than that

1024 bit keys and SHA-1 links are currently considered safe so there's
no reason to believe that apache keys have been compromised. transition
statements [1] in a trusted location will probably be good enough to
convince most people to re-sign. but we'd need to think carefully about
a sufficient secure infrastructure before recommending this.

we should really probably think about setting up some minimal
revocation infrastructure (subversion space plus mailing list, perhaps)
plus documentation while we're thinking about it...

> Pity.
> Also, there's the issue of being unable to read encrypted email I
> receive by the old key. But I suppose that I can deal with that on a
> case-by-case basis. And hardly anybody sends me encrypted email any more
> anyways.

the particular problem for apache is that it's the code signing usage
that has been broken by the SHA-1 collisions. it's safe to keep the old
key around to read encrypted email. personally speaking, i'd just delete
the signing private key and transfer the encryption subkey to the new
ring (setting an appropriate expiry date).

> Ok. Generating new key. I guess this is my chance to purge all of those
> former employer email addresses from my key, too.

there are some settings that need changing before you do. probably need
to upgrade to the latest version of GnuPG as well. i'm working on some
instructions which i'll tidy up and blog some time soon. it'd be great
if people could wait and alpha test the official apache documentation.

i have some instructions about replacing the existing uses at apache
which i'll tidy up and blog.

since the DSA keys are still considered safe ATM, i recommend retaining
both for a transitional period. the important point is to use the new,
longer key for signing.

- - robert

Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

View raw message