-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 with ApacheConUS only three months away, we really need to start planning how apache can move away from short keys (DSA and RSA < 2048) and weak WOT links (SHA-1)[1]. the consensus on infra was that this is the best list for this discussion. if it happens to get too busy then a new list can be created.
the first step needs to be updating the documents so that new release managers know how to set up and use GnuPG[2] to generate keys unlikely to need changing in the next couple of years. i'll start a thread over on site dev to cover this. the first question for discussion is recommended key length. 2048 is the minimum safe size for new keys but only just. for keys used to sign releases, 4096 is more credible today. 8192 bit keys are possible with GnuPG[3] but are fiddly and - in older tools - support may be patchy. going for 4096 would mean a second transition before 2015 but the next generation (SHA-3 and next generation of OpenPGP) should be available by then. consensus on infra was to go for 4096 but if anyone knows any good reasons to go for some other value, please jump in. - - robert [1] http://www.jroller.com/robertburrelldonkin/entry/release_distribution_renewing_the_web [2] http://www.gnupg.org [3] http://www.jroller.com/robertburrelldonkin/entry/gnupg_8192bit_rsa_keys -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgWaEAAoJEHl6NpRAqILLzzQP/RI/ZpkauHrLMzW48lNRsmUc h9a4HJ1WXL6eESSbJK9rawPxrAvG/p3rbH3TTixIkwLPz8BQDuG8kxmTHn8LDlGg /YLZbDtgFpF3SElGn1MbzldI48DTgw/JXa4opVHi/gvSAoA72+P7td5D12YiA+6R Urr6I8hcDOdHRfDsXPHbu5MLh4S//vVgrdOXahLqwzwJK0GCdsjJ88RGJgPXrWfH abfzKY3jGUheLtIJUbQiMI2IKA5VrCK+WMXoWxnqnnxL6JDQUGXfpai5dxoRy22D wcv6UN+FIUF8OCBymYRXMcngwczYDkYkUyrVEjOSlnmtC4rHKq/wZGtn3VJGSCEf hLoSC+aZ+HLHxK5pA0ZxRs4IFhMtTijV5ng6VA1aOPW0N1ySIUd7fgAO7QpksCcL 84LZMAzstH48Ce2Zzrj8oJ5NLYIR531Mh0C7N/JRkUdPLTXDByvXBTJ9uRXoRw6v a1IexoewUxXfAcR2Yi0lVtkL9ZBVWMm/caXpSqLHKxFvQND71dWg+7UsfJR057c3 CP5bwJIp4dANLOeYa6kj07b+Xu2ZutKBAdZWSH/u3lx1Grh3apq1gbGmdoyKyLyj d4px2wyB6oWS5C3ZEdAG8oy9QC1LERgnqTt7kMGMNl5j8E1AAMsPTw7laULss1S1 itF2Nys9bJZA1dfQTx7B =w79Q -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
