There is really no technical reason to use DSA these days, and we should focus on having a single recommendation. DSA keys are still permitted via 'minimal' requirements. --- glep-0063.rst | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst index ab7cb79..e81c862 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -35,6 +35,9 @@ v1.1 Minimal specification has been amended to allow for ECC keys. + The option of using DSA subkey has been removed from recommendations. + The section now specifies a single recommendation of using RSA. + Motivation ========== @@ -122,26 +125,19 @@ their primary key). # when making an OpenPGP certification, use a stronger digest than the default SHA1: cert-digest-algo SHA256 -2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) - - This may require creating an entirely new key. - -3. Dedicated signing subkey of EITHER: - - a. DSA 2048 bits exactly. - - b. RSA 2048 bits exactly. +2. Primary key and a dedicated signing subkey, both of type RSA, 2048 bits + (OpenPGP v4 key format or later) -4. Key expiry: +3. Key expiry: a. Primary key: 3 years maximum, expiry date renewed annually. b. Gentoo subkey: 1 year maximum, expiry date renewed every 6 months. -5. Create a revocation certificate & store it hardcopy offsite securely +4. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes). -6. Encrypted backup of your secret keys. +5. Encrypted backup of your secret keys. Gentoo LDAP =========== -- 2.18.0