From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A29FA138334 for ; Sun, 29 Jul 2018 20:51:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 453DBE0953; Sun, 29 Jul 2018 20:51:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 10061E0953 for ; Sun, 29 Jul 2018 20:51:09 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3EBC2335C9E for ; Sun, 29 Jul 2018 20:51:07 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 16C35393 for ; Sun, 29 Jul 2018 20:51:04 +0000 (UTC) From: "Michał Górny" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michał Górny" Message-ID: <1532894846.053bd57e619706ddd0967d181daea8fbfa37d1d6.mgorny@gentoo> Subject: [gentoo-commits] data/glep:master commit in: / X-VCS-Repository: data/glep X-VCS-Files: glep-0063.rst X-VCS-Directories: / X-VCS-Committer: mgorny X-VCS-Committer-Name: Michał Górny X-VCS-Revision: 053bd57e619706ddd0967d181daea8fbfa37d1d6 X-VCS-Branch: master Date: Sun, 29 Jul 2018 20:51:04 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c1e792d8-7177-4c69-ba87-d2902200dd74 X-Archives-Hash: 0f03227a3c123c40aed480f39f3c2bf4 commit: 053bd57e619706ddd0967d181daea8fbfa37d1d6 Author: Michał Górny gentoo org> AuthorDate: Wed Jul 4 09:55:09 2018 +0000 Commit: Michał Górny gentoo org> CommitDate: Sun Jul 29 20:07:26 2018 +0000 URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=053bd57e glep-0063: Stop recommending DSA subkeys There is really no technical reason to use DSA these days, and we should focus on having a single recommendation. DSA keys are still permitted via 'minimal' requirements. glep-0063.rst | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index 2402c34..7f870bb 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -36,6 +36,9 @@ v1.1 Minimal specification has been amended to allow for ECC keys. + The option of using DSA subkey has been removed from recommendations. + The section now specifies a single recommendation of using RSA. + Motivation ========== @@ -126,24 +129,19 @@ their primary key). # when making an OpenPGP certification, use a stronger digest than the default SHA1: cert-digest-algo SHA256 -2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) - -3. The signing subkey of EITHER: - - a. DSA 2048 bits exactly. - - b. RSA 2048 bits exactly. +2. Primary key and the signing subkey are both of type RSA, 2048 bits + (OpenPGP v4 key format or later) -4. Key expiry: +3. Key expiry: a. Primary key: 3 years maximum, expiry date renewed annually. b. Signing subkey: 1 year maximum, expiry date renewed every 6 months. -5. Create a revocation certificate & store it hardcopy offsite securely +4. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes). -6. Encrypted backup of your secret keys. +5. Encrypted backup of your secret keys. Gentoo LDAP ===========