-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert Burrell Donkin wrote: > Henri Yandell wrote: >> Need to update http://www.apache.org/dev/release-signing.html to say >> 4096 asap I suspect :) Stop new people being lured into this problem.
i've committed something (as a stopgap measure) > yes but... > > key size isn't the direct cause of the problem: SHA-1 is > > AIUI the OpenPGP WG assumed that the next generation hash algorithm (and > so the next OpenPGP revision) would be available before SHA-1 was > broken. this is now looking very unlikely. > > so, new keys need to be generated using the latest tools with specific > settings (older tools and default settings typically try to force people > into the OpenPGP defaults for compatibility), and everyone (even those > with longer keys) need to upgrade their tools and adjust the settings. > > we also need to ensure that we're setting up the infrastructure for an > orderly, measured transition rather than rushing to create a panic. should probably expand that section explaining the situation. maybe something like: " Recent research has revealed weaknesses in SHA-1, and in the DSA and 1024 bit RSA OpenPGP keys which must use this algorithm. Though these weaknesses are not yet feasible but - if experience with similar weaknesses in MD5 can be a guide - further advances may well lead to practical attackers within the next few years. There is no reason for owners of these keys to panic but new keys of short length should not be generated. All new RSA keys generated should be at least 4096 bits. Do not generate new DSA keys. See discussions on the community list for more information. " opinions? improvements? - - robert - --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgsXCAAoJEHl6NpRAqILLRfMQANmiqQ6PIIqxXj2E913/U1py 9pcBZE5veSmXqEu0p7gL/U0QWkbFd8Ogfv2NAlKAZaA39bAyB6U2h3Pi0KSAJkQ4 VtFhjwTdqGYSU+DZW/TCR06W1V8VNWcXRjCujuVE6Zp59DAn2/qYHKwh09D77BRt M+gYyPHQWf5WqUt1yQlLq56aXIzkwoFccPMEjGvbztwaK7lFYNbx8/LQZclvFTEn 5kinUIHakU8vsz+UT92Cz/kuzBYheO8Ih1zjO1h3PXJfoZyulDgOHj+M1cYNbHrp een0Y21zAK9NaB1arPargd4yIjGpaI0BVp2nSCvI5MZT3VpJUm025RiYvSjQn3f4 psfG6Y4vS3X/d7FsNszx4uQgtIoP8S1Iq8QFqF0p5zzxW91i3JaLGwq4dNS92to8 DLRb/3Q+90LfANdIjorDYDeybF4DICXUK6bIcAe3ejEhnsIGx41OxKrhIl17UWwl +ZJuBIZfjQXLpg3DpExnCawo23vB02+Op2anzN1AISlIUtZqGu4EkArZA/i3fy4X QRNd28/eh/JeozVPjDhhD+K0Uph1154hu8RgTKBs9emLzCsy5h67wtQJVbRrmbI+ zuZ6g6okhQPUtrjQzKlv6WwgdqjxVSAl+uuJdbr+BkDdSI1gJxlUwAfh5a0uHY1B IJrs7IDy429sbaMylGrJ =2LWM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org