-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert Burrell Donkin wrote: > Robert Burrell Donkin wrote: >> Henri Yandell wrote: >>> Need to update http://www.apache.org/dev/release-signing.html to say >>> 4096 asap I suspect :) Stop new people being lured into this problem. > > i've committed something (as a stopgap measure) > >> yes but... > >> key size isn't the direct cause of the problem: SHA-1 is > >> AIUI the OpenPGP WG assumed that the next generation hash algorithm (and >> so the next OpenPGP revision) would be available before SHA-1 was >> broken. this is now looking very unlikely. > >> so, new keys need to be generated using the latest tools with specific >> settings (older tools and default settings typically try to force people >> into the OpenPGP defaults for compatibility), and everyone (even those >> with longer keys) need to upgrade their tools and adjust the settings. > >> we also need to ensure that we're setting up the infrastructure for an >> orderly, measured transition rather than rushing to create a panic. > > should probably expand that section explaining the situation.
the improved text from discussions on site-dev is: Recent research has revealed weaknesses in SHA-1, and thus in the DSA and 1024 bit RSA OpenPGP keys which must use this algorithm. Though no realistic attacks have been made public, experience with similar weaknesses in MD5 suggests that further advances may well lead to practical attacks within the next few years. This accords with current NIST guidance on DSA. All new RSA keys generated should be at least 4096 bits. Do not generate new DSA keys. See discussions on the community list for more information. opinions? improvements? - - robert -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKguohAAoJEHl6NpRAqILLILQQAN41dKfN09x08CzDRATmv9IP Q8wFvdaVzMIh/FRKXRVUqIlE75hI8GjiyaOVxt462ruRDFAo45mxpxvXttYP0iVg kJHDVLgCEtI4kIjM4uDCcJ8hMPewqCU3Mh6qDEIfEJHftWdaGO6agwet204vGQ3n rUuE+Rf0t6McRufHx7HVT9hiO5wqArj9S65t6jpqh7CwJU2PZQ+ApqyFJxxzsxxR 0gSCzuhG+MYj7QFtx4EcZGyQE7LKKKd7hhgsCAxHQ204DhCQc4+xY+WM/gQ4GZ2c YLcOA7EeW4oy2aS2DXs4AICfiOW9R9PyeUs+oCcnbDGM/BzZfOBICHB/jnMj5lNM KpgA8dQZcDqoUGnBtuDQ7658wB2iooGQZw52quxp/36A3sje3Pwq64cLV1UI2fmI 5CK2lJ8Bouky1z39BIq3UZIKBNjHDM7x1RUvRM2/CCe1ZjAPzWHIwWteV45+qCd3 jDbaBQ1bysie19ST7ojYX+zFwLz2kFk3hrbC6xwL0xydFgAQmTdjNTnC5bvZBzCy /DFRbnIRrDOW7JW1vNenXInuEhva/a0nrdgBRYeTbcQfmvCNM7As+oJI6hv+gGjL SaRen2akc5vaeg0Igtp+GX1JwOkBvtI/9FLfQ4ezd+MsApu/OpB0R/UGFCIyx3+N XnFPPTyffNUPwBUDZ/43 =beJj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org