On Aug 11, 2009, at 8:24 AM, Robert Burrell Donkin wrote:
1024 bit keys and SHA-1 links are currently considered safe so there's
no reason to believe that apache keys have been compromised.
transition
statements [1] in a trusted location will probably be good enough to
convince most people to re-sign. but we'd need to think carefully
about
a sufficient secure infrastructure before recommending this.
There is nothing wrong with the existing keys. There is no danger
of any compromise, even by brute-force attack. Our signatures are
used for verification, not privacy, and in any case the "schedule"
for key sizes becoming weak is based on speculation. There is no
evidence to suggest that anyone has managed to find a specific
private key to match a given 1024-bit public key.
Quite frankly, I think that this effort to purge 1024 bit keys will
simply make PGP useless for verifications, since PGP without the
web of trust is a friggin waste of time. What people should do is
increase the default key size for new keys and just be happy that
anyone uses PGP/GPG at all.
....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscr...@apache.org
For additional commands, e-mail: community-h...@apache.org
