-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 sebb wrote: > On 11/08/2009, Robert Burrell Donkin <rdon...@apache.org> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> with ApacheConUS only three months away, we really need to start >> planning how apache can move away from short keys (DSA and RSA < 2048) >> and weak WOT links (SHA-1)[1]. the consensus on infra was that this is >> the best list for this discussion. if it happens to get too busy then a >> new list can be created. >> >> the first step needs to be updating the documents so that new release >> managers know how to set up and use GnuPG[2] to generate keys unlikely >> to need changing in the next couple of years. i'll start a thread over >> on site dev to cover this. >> >> the first question for discussion is recommended key length. 2048 is the >> minimum safe size for new keys but only just. for keys used to sign >> releases, 4096 is more credible today. 8192 bit keys are possible with >> GnuPG[3] but are fiddly and - in older tools - support may be patchy. >> going for 4096 would mean a second transition before 2015 but the next >> generation (SHA-3 and next generation of OpenPGP) should be available by >> then. > > Perhaps the new keys should have an expiration date of 2015 (or earlier)?
probably a good idea. expiry dates can be changed on keys so it's just a useful reminder. - - robert -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgY3wAAoJEHl6NpRAqILL5Q4P/RuxsSgi9yfdrmvkSCEpF8v1 Vxk13D2pddSdyUt1oyCapfGQcQAGDi3PV588YsD06tVIc1rU+SbDkxPrNUNdtU3Z /sjEyltHZeqyszMv+WdkieddlhUrStdOjP22Fr5rIDvXmPKsBzqPgdbHuN5jLJ0x ZhbQAtlGEx/M8OHmxJJe8zgcUdPySrzZdLVXxsJaG+k7AkLRyeCllGzdaXICxOnP YZ+lTg+YiqSDsE3nb6OKy2OYUuZp+VoX/8TYzFXC1JnLXOmkOw2j7fffPd/t61gn EW/MZEnJ5dzdqzzQdCFm/q7D+x5JCv4HkPAMXXzXUvN5D83ROS2ZusJL36J/TuDv jTfGd5M74oiLL39vG1M02S/CW/WHt+GpLiyet+Gfx21S5zk+NudJ86ooGnLEQjCW ItS1Rtey8wQlKE1ilf3D7YyiWm0gmegzUJGzCnGvVVRRteCO/3GgYpAU5Ah+Zf6r X5DptU8nFTJjTwtrr6G4XoBrYU5DcE9xEQFW5dlRKWaalySd5OHzw4QYnuyeN43E eUtwjnhtGbx4A2KG7/mhFcW85PUl6qHrXDU4pU2qo3DJ0f/NGRAa7ysjKhzq+1W3 V9BCNgiGTN5a12PNxI1CWvGs0hgfHEswBOYkBuc5gd9EYTHKgxYCCprypJVVoLcD CA545FfSgBIf6m28+nKb =pMAR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
