www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <rdon...@apache.org>
Subject Re: [OpenPGP] Moving Away From DSA and SHA-1
Date Tue, 11 Aug 2009 15:27:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sebb wrote:
> On 11/08/2009, Robert Burrell Donkin <rdonkin@apache.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA1
>>
>>  with ApacheConUS only three months away, we really need to start
>>  planning how apache can move away from short keys (DSA and RSA < 2048)
>>  and weak WOT links (SHA-1)[1]. the consensus on infra was that this is
>>  the best list for this discussion. if it happens to get too busy then a
>>  new list can be created.
>>
>>  the first step needs to be updating the documents so that new release
>>  managers know how to set up and use GnuPG[2] to generate keys unlikely
>>  to need changing in the next couple of years. i'll start a thread over
>>  on site dev to cover this.
>>
>>  the first question for discussion is recommended key length. 2048 is the
>>  minimum safe size for new keys but only just. for keys used to sign
>>  releases, 4096 is more credible today. 8192 bit keys are possible with
>>  GnuPG[3] but are fiddly and - in older tools - support may be patchy.
>>  going for 4096 would mean a second transition before 2015 but the next
>>  generation (SHA-3 and next generation of OpenPGP) should be available by
>>  then.
> 
> Perhaps the new keys should have an expiration date of 2015 (or earlier)?

probably a good idea. expiry dates can be changed on keys so it's just a
 useful reminder.

- - robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKgY3wAAoJEHl6NpRAqILL5Q4P/RuxsSgi9yfdrmvkSCEpF8v1
Vxk13D2pddSdyUt1oyCapfGQcQAGDi3PV588YsD06tVIc1rU+SbDkxPrNUNdtU3Z
/sjEyltHZeqyszMv+WdkieddlhUrStdOjP22Fr5rIDvXmPKsBzqPgdbHuN5jLJ0x
ZhbQAtlGEx/M8OHmxJJe8zgcUdPySrzZdLVXxsJaG+k7AkLRyeCllGzdaXICxOnP
YZ+lTg+YiqSDsE3nb6OKy2OYUuZp+VoX/8TYzFXC1JnLXOmkOw2j7fffPd/t61gn
EW/MZEnJ5dzdqzzQdCFm/q7D+x5JCv4HkPAMXXzXUvN5D83ROS2ZusJL36J/TuDv
jTfGd5M74oiLL39vG1M02S/CW/WHt+GpLiyet+Gfx21S5zk+NudJ86ooGnLEQjCW
ItS1Rtey8wQlKE1ilf3D7YyiWm0gmegzUJGzCnGvVVRRteCO/3GgYpAU5Ah+Zf6r
X5DptU8nFTJjTwtrr6G4XoBrYU5DcE9xEQFW5dlRKWaalySd5OHzw4QYnuyeN43E
eUtwjnhtGbx4A2KG7/mhFcW85PUl6qHrXDU4pU2qo3DJ0f/NGRAa7ysjKhzq+1W3
V9BCNgiGTN5a12PNxI1CWvGs0hgfHEswBOYkBuc5gd9EYTHKgxYCCprypJVVoLcD
CA545FfSgBIf6m28+nKb
=pMAR
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message