-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rich Bowen wrote: > > On Aug 11, 2009, at 10:13, Tony Stevenson wrote: > >> You cannot retrospectively 'upgrade' your key, AIUI, at least. >> So you will sadly lose all your signatures as you will need a new >> key.
it should be possible to use a script to transfer them >> Thankfully I created mine with a 4096 key length so I'm ok, but >> I get impression many folks wont be. >> >> Get your key created now, and at Apachecon we will have to have a >> large key signing party. :) yes :-) but we can probably do a little better than that 1024 bit keys and SHA-1 links are currently considered safe so there's no reason to believe that apache keys have been compromised. transition statements [1] in a trusted location will probably be good enough to convince most people to re-sign. but we'd need to think carefully about a sufficient secure infrastructure before recommending this. we should really probably think about setting up some minimal revocation infrastructure (subversion space plus mailing list, perhaps) plus documentation while we're thinking about it... > Pity. > > Also, there's the issue of being unable to read encrypted email I > receive by the old key. But I suppose that I can deal with that on a > case-by-case basis. And hardly anybody sends me encrypted email any more > anyways. the particular problem for apache is that it's the code signing usage that has been broken by the SHA-1 collisions. it's safe to keep the old key around to read encrypted email. personally speaking, i'd just delete the signing private key and transfer the encryption subkey to the new ring (setting an appropriate expiry date). > Ok. Generating new key. I guess this is my chance to purge all of those > former employer email addresses from my key, too. there are some settings that need changing before you do. probably need to upgrade to the latest version of GnuPG as well. i'm working on some instructions which i'll tidy up and blog some time soon. it'd be great if people could wait and alpha test the official apache documentation. i have some instructions about replacing the existing uses at apache which i'll tidy up and blog. since the DSA keys are still considered safe ATM, i recommend retaining both for a transitional period. the important point is to use the new, longer key for signing. - - robert [1] http://www.jroller.com/robertburrelldonkin/entry/openpgp_transition_statement -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgY1CAAoJEHl6NpRAqILLL8oQAMNJk1Zy6e+zkbpqcYtE/x6N lny/kYTMrnIM6xeewlFVUnLBkB9nIgYhrHaqCpQx3yRCh8ouUKzCFOWMNbCGZHxf sOZmOOTHa36y0K+9+iJI38VFfT03wXoI3qGHcCT/AE04oSVSGKZE9wveb/0uPhjs pNmcuvvaJ01urZioKnZw7H37b2kPLMowqtf+t+4w/NWy5iok1QKN50xW15yJDfnh 83D8EoW191Zbg9beba51WmdWzk3Wio/J3ngpM69LxmJTxYSs0BI5rK+cUaD/E5XF XiDx7ZS7dAfHeRGGU47SVlmJ+IIf1BK2DCiP43cYKjZOJnP11C3p00Bytc+MyQ02 x+412rSZDyqEEL5odlYfFiwj7lWWw7dji4koeszJDNQtKdiC+VZX24TXYhQmLLhw R53OCe6hW9l4hi903C+hJ9zXVwy+UMRRG6GkQ1tZt04H6Ag8yUSATCLoD0YrCzXe M3ngr2wr3uPvxwyUftJ4KUYJyKdwrMvaUPDBNg+ruETpI47t/Ry6DJDzdT0OU5PF UK+KPkmAWdc07RjkxzrtnAllsRVCLwHsu5FeOLvLBBYW8iHuZinfr/Ia0QTz245v 3BW+PFy78IAmJ38tF109mAD9idqM7TJI4uVtg6XyaaK9Gh+KenAGkf4JeAwU+Urw j1ZLV+qgpTdVE9vOvYPG =jBlm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org