We are considering changing the default keysize (RSA, DSA, DH) from 1K to 2K, and changing the default signing digest from SHA-1 to SHA-256.
We've already committed this to HEAD/master. We would like to make this change in the upcoming 1.0.2 release as well. Several downstream distributions, such as Debian, have already done this. Microsoft has already announced deprecation of SHA-1 certificates, and Google just recently posted a fairly aggressive plan for Chrome. Does anyone have strong objections? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me<mailto:rs...@jabber.me> Twitter: RichSalz