www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin (JIRA)" <j...@apache.org>
Subject [jira] Updated: (INFRA-2042) EOL SHA1, DSA
Date Thu, 07 May 2009 13:00:32 GMT

     [ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------

    Attachment: ws-rat-scan-data-2009-05-07.html
                wicket-rat-scan-data-2009-05-07.html
                velocity-rat-scan-data-2009-05-07.html

Scan results for achive.apache.org

> EOL SHA1, DSA 
> --------------
>
>                 Key: INFRA-2042
>                 URL: https://issues.apache.org/jira/browse/INFRA-2042
>             Project: Infrastructure
>          Issue Type: Task
>      Security Level: public(Regular issues) 
>            Reporter: Robert Burrell Donkin
>         Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html,
apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html,
beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html,
cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html,
continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html,
db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html,
felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html,
hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html,
httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html,
incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html,
james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html,
lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html,
maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html,
myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html,
openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html,
poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html,
quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html,
shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html,
struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html,
tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html, tomcat-rat-scan-data-2009-05-07.html,
turbine-rat-scan-data-2009-05-07.html, tuscany-rat-scan-data-2009-05-07.html, velocity-rat-scan-data-2009-05-07.html,
wicket-rat-scan-data-2009-05-07.html, ws-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed
new vulnerabilities in SHA1.  
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length.
This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital
signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1
and SDA. 
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should
think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message