www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <rdon...@apache.org>
Subject Re: [OpenPGP] Moving Away From DSA and SHA-1
Date Wed, 12 Aug 2009 16:13:22 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Burrell Donkin wrote:
> Robert Burrell Donkin wrote:
>> Henri Yandell wrote:
>>> Need to update http://www.apache.org/dev/release-signing.html to say
>>> 4096 asap I suspect :) Stop new people being lured into this problem.
> 
> i've committed something (as a stopgap measure)
> 
>> yes but...
> 
>> key size isn't the direct cause of the problem: SHA-1 is
> 
>> AIUI the OpenPGP WG assumed that the next generation hash algorithm (and
>> so the next OpenPGP revision) would be available before SHA-1 was
>> broken. this is now looking very unlikely.
> 
>> so, new keys need to be generated using the latest tools with specific
>> settings (older tools and default settings typically try to force people
>> into the OpenPGP defaults for compatibility), and everyone (even those
>> with longer keys) need to upgrade their tools and adjust the settings.
> 
>> we also need to ensure that we're setting up the infrastructure for an
>> orderly, measured transition rather than rushing to create a panic.
> 
> should probably expand that section explaining the situation. 

the improved text from discussions on site-dev is:

   Recent research has revealed weaknesses in SHA-1, and thus in the DSA
   and 1024 bit RSA OpenPGP keys which must use this algorithm. Though
   no realistic attacks have been made public, experience with similar
   weaknesses in MD5 suggests that further advances may well lead
   to practical attacks within the next few years. This accords with
   current NIST guidance on DSA.

   All new RSA keys generated should be at least 4096 bits. Do not
   generate new DSA keys.

   See discussions on the community list for more information.

opinions? improvements?

- - robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKguohAAoJEHl6NpRAqILLILQQAN41dKfN09x08CzDRATmv9IP
Q8wFvdaVzMIh/FRKXRVUqIlE75hI8GjiyaOVxt462ruRDFAo45mxpxvXttYP0iVg
kJHDVLgCEtI4kIjM4uDCcJ8hMPewqCU3Mh6qDEIfEJHftWdaGO6agwet204vGQ3n
rUuE+Rf0t6McRufHx7HVT9hiO5wqArj9S65t6jpqh7CwJU2PZQ+ApqyFJxxzsxxR
0gSCzuhG+MYj7QFtx4EcZGyQE7LKKKd7hhgsCAxHQ204DhCQc4+xY+WM/gQ4GZ2c
YLcOA7EeW4oy2aS2DXs4AICfiOW9R9PyeUs+oCcnbDGM/BzZfOBICHB/jnMj5lNM
KpgA8dQZcDqoUGnBtuDQ7658wB2iooGQZw52quxp/36A3sje3Pwq64cLV1UI2fmI
5CK2lJ8Bouky1z39BIq3UZIKBNjHDM7x1RUvRM2/CCe1ZjAPzWHIwWteV45+qCd3
jDbaBQ1bysie19ST7ojYX+zFwLz2kFk3hrbC6xwL0xydFgAQmTdjNTnC5bvZBzCy
/DFRbnIRrDOW7JW1vNenXInuEhva/a0nrdgBRYeTbcQfmvCNM7As+oJI6hv+gGjL
SaRen2akc5vaeg0Igtp+GX1JwOkBvtI/9FLfQ4ezd+MsApu/OpB0R/UGFCIyx3+N
XnFPPTyffNUPwBUDZ/43
=beJj
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message