Need to update http://www.apache.org/dev/release-signing.html to say 4096 asap I suspect :) Stop new people being lured into this problem.
Hen On Tue, Aug 11, 2009 at 5:39 AM, Robert Burrell Donkin<rdon...@apache.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > with ApacheConUS only three months away, we really need to start > planning how apache can move away from short keys (DSA and RSA < 2048) > and weak WOT links (SHA-1)[1]. the consensus on infra was that this is > the best list for this discussion. if it happens to get too busy then a > new list can be created. > > the first step needs to be updating the documents so that new release > managers know how to set up and use GnuPG[2] to generate keys unlikely > to need changing in the next couple of years. i'll start a thread over > on site dev to cover this. > > the first question for discussion is recommended key length. 2048 is the > minimum safe size for new keys but only just. for keys used to sign > releases, 4096 is more credible today. 8192 bit keys are possible with > GnuPG[3] but are fiddly and - in older tools - support may be patchy. > going for 4096 would mean a second transition before 2015 but the next > generation (SHA-3 and next generation of OpenPGP) should be available by > then. > > consensus on infra was to go for 4096 but if anyone knows any good > reasons to go for some other value, please jump in. > > - - robert > > [1] > http://www.jroller.com/robertburrelldonkin/entry/release_distribution_renewing_the_web > [2] http://www.gnupg.org > [3] http://www.jroller.com/robertburrelldonkin/entry/gnupg_8192bit_rsa_keys > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQIcBAEBAgAGBQJKgWaEAAoJEHl6NpRAqILLzzQP/RI/ZpkauHrLMzW48lNRsmUc > h9a4HJ1WXL6eESSbJK9rawPxrAvG/p3rbH3TTixIkwLPz8BQDuG8kxmTHn8LDlGg > /YLZbDtgFpF3SElGn1MbzldI48DTgw/JXa4opVHi/gvSAoA72+P7td5D12YiA+6R > Urr6I8hcDOdHRfDsXPHbu5MLh4S//vVgrdOXahLqwzwJK0GCdsjJ88RGJgPXrWfH > abfzKY3jGUheLtIJUbQiMI2IKA5VrCK+WMXoWxnqnnxL6JDQUGXfpai5dxoRy22D > wcv6UN+FIUF8OCBymYRXMcngwczYDkYkUyrVEjOSlnmtC4rHKq/wZGtn3VJGSCEf > hLoSC+aZ+HLHxK5pA0ZxRs4IFhMtTijV5ng6VA1aOPW0N1ySIUd7fgAO7QpksCcL > 84LZMAzstH48Ce2Zzrj8oJ5NLYIR531Mh0C7N/JRkUdPLTXDByvXBTJ9uRXoRw6v > a1IexoewUxXfAcR2Yi0lVtkL9ZBVWMm/caXpSqLHKxFvQND71dWg+7UsfJR057c3 > CP5bwJIp4dANLOeYa6kj07b+Xu2ZutKBAdZWSH/u3lx1Grh3apq1gbGmdoyKyLyj > d4px2wyB6oWS5C3ZEdAG8oy9QC1LERgnqTt7kMGMNl5j8E1AAMsPTw7laULss1S1 > itF2Nys9bJZA1dfQTx7B > =w79Q > -----END PGP SIGNATURE----- > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: community-unsubscr...@apache.org > For additional commands, e-mail: community-h...@apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org