-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Henri Yandell wrote: > Need to update http://www.apache.org/dev/release-signing.html to say > 4096 asap I suspect :) Stop new people being lured into this problem.
yes but... key size isn't the direct cause of the problem: SHA-1 is AIUI the OpenPGP WG assumed that the next generation hash algorithm (and so the next OpenPGP revision) would be available before SHA-1 was broken. this is now looking very unlikely. so, new keys need to be generated using the latest tools with specific settings (older tools and default settings typically try to force people into the OpenPGP defaults for compatibility), and everyone (even those with longer keys) need to upgrade their tools and adjust the settings. we also need to ensure that we're setting up the infrastructure for an orderly, measured transition rather than rushing to create a panic. - - robert -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKgru2AAoJEHl6NpRAqILLf3AP/RPhP1RED+VhnpPrgBacYc/l CQhVthk5sAru4aFLm/v4FcDab0eqLbnhexq9eKAamkehkW5x+F7qyuwng/RHtN7T kQkLgjS8LGxfP+nhs11iHzOdtCPVJ5Q1VOaDJ4HbOTnV7H4jhHgAzdB2700LCB4r /mSk2YG9zfBJXc8kXYD9r/LkHtKlWfdC9evbvlVO8WMionbKwzcq87vD+10dW23Z ne0lqKDyw/9pCn8HMRt2S5o5E/QynZ+681ONgeNGGU67W5FWW8NPmH20AYLwEFXH pPPMXHyLMQFZffHenJHMeJJLpEtOwKBL/Fa7ITiOTv7+2jd+EBrghUIa/K9p2VYK 3GcOzvK/tfhR2qV05N1NyScTbHFq6HgpL++r0ijB4thhqrZzXoLrVQRJzO58iXBI +HHJ6GRdSNN6Dt9eZ58dsnvwONd9x8M0Omsut1azbNfOtO9WrjveBgygLwWE4LgI iqoxaY4zZmahPPvFag4urdVcl4Lu0T77q0llO94YucIHgHJMITk8dACJey/Fp1SO xHqMpn2AiMRlbfbOESAbG70yUvRS8QZ7z28E17pSXHMrXrf6vrIG0dhVKSUfIE/A PQ8qR/t9gi70FDKs+awA5b9D5k3fL2fQGVaq+NTovnHmS5z7jKZJQWpstBsZ2rCo DqJkyt6lLNfC+B5pB01b =mL9t -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
