www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <rdon...@apache.org>
Subject Re: [OpenPGP] Moving Away From DSA and SHA-1
Date Wed, 12 Aug 2009 13:38:10 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Burrell Donkin wrote:
> Henri Yandell wrote:
>> Need to update http://www.apache.org/dev/release-signing.html to say
>> 4096 asap I suspect :) Stop new people being lured into this problem.

i've committed something (as a stopgap measure)

> yes but...
> 
> key size isn't the direct cause of the problem: SHA-1 is
> 
> AIUI the OpenPGP WG assumed that the next generation hash algorithm (and
> so the next OpenPGP revision) would be available before SHA-1 was
> broken. this is now looking very unlikely.
> 
> so, new keys need to be generated using the latest tools with specific
> settings (older tools and default settings typically try to force people
> into the OpenPGP defaults for compatibility), and everyone (even those
> with longer keys) need to upgrade their tools and adjust the settings.
> 
> we also need to ensure that we're setting up the infrastructure for an
> orderly, measured transition rather than rushing to create a panic.

should probably expand that section explaining the situation. maybe
something like:

"
Recent research has revealed weaknesses in SHA-1, and in the DSA and
1024 bit RSA OpenPGP keys which must use this algorithm. Though these
weaknesses are not yet feasible but - if experience with similar
weaknesses in MD5 can be a guide - further advances may well lead to
practical attackers within the next few years. There is no reason for
owners of these keys to panic but new keys of short length should not be
generated.

All new RSA keys generated should be at least 4096 bits. Do not generate
new DSA keys.

See discussions on the community list for more information.
"

opinions? improvements?

- - robert

- ---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKgsXCAAoJEHl6NpRAqILLRfMQANmiqQ6PIIqxXj2E913/U1py
9pcBZE5veSmXqEu0p7gL/U0QWkbFd8Ogfv2NAlKAZaA39bAyB6U2h3Pi0KSAJkQ4
VtFhjwTdqGYSU+DZW/TCR06W1V8VNWcXRjCujuVE6Zp59DAn2/qYHKwh09D77BRt
M+gYyPHQWf5WqUt1yQlLq56aXIzkwoFccPMEjGvbztwaK7lFYNbx8/LQZclvFTEn
5kinUIHakU8vsz+UT92Cz/kuzBYheO8Ih1zjO1h3PXJfoZyulDgOHj+M1cYNbHrp
een0Y21zAK9NaB1arPargd4yIjGpaI0BVp2nSCvI5MZT3VpJUm025RiYvSjQn3f4
psfG6Y4vS3X/d7FsNszx4uQgtIoP8S1Iq8QFqF0p5zzxW91i3JaLGwq4dNS92to8
DLRb/3Q+90LfANdIjorDYDeybF4DICXUK6bIcAe3ejEhnsIGx41OxKrhIl17UWwl
+ZJuBIZfjQXLpg3DpExnCawo23vB02+Op2anzN1AISlIUtZqGu4EkArZA/i3fy4X
QRNd28/eh/JeozVPjDhhD+K0Uph1154hu8RgTKBs9emLzCsy5h67wtQJVbRrmbI+
zuZ6g6okhQPUtrjQzKlv6WwgdqjxVSAl+uuJdbr+BkDdSI1gJxlUwAfh5a0uHY1B
IJrs7IDy429sbaMylGrJ
=2LWM
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message