From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 70CD7138334 for ; Tue, 3 Jul 2018 19:55:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 25277E0AB2; Tue, 3 Jul 2018 19:55:08 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A1818E09DA for ; Tue, 3 Jul 2018 19:55:07 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 40B87335C95; Tue, 3 Jul 2018 19:55:05 +0000 (UTC) Message-ID: <1530647701.14300.1.camel@gentoo.org> Subject: Re: [gentoo-dev] [PATCH 0/4] GLEP 63: clean up, and reduce key size to RSA-2048 From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Tue, 03 Jul 2018 21:55:01 +0200 In-Reply-To: <9950822.7ybtiaU7av@monkey> References: <20180703132957.29200-1-mgorny@gentoo.org> <5401190.UbGu1mLZpO@monkey> <9950822.7ybtiaU7av@monkey> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-I5KMK+gcIaVrIqMM4ojz" X-Mailer: Evolution 3.24.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Archives-Salt: df1e6c56-cb39-4347-b091-0a3b46c5725f X-Archives-Hash: 7e514f7265a804117111877308f582e2 --=-I5KMK+gcIaVrIqMM4ojz Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable W dniu wto, 03.07.2018 o godzinie 12=E2=88=B642=E2=80=89-0400, u=C5=BCytkow= nik Aaron Bauman napisa=C5=82: > On Tuesday, July 3, 2018 12:40:57 PM EDT Aaron Bauman wrote: > > On Tuesday, July 3, 2018 9:29:53 AM EDT Micha=C5=82 G=C3=B3rny wrote: > > > Hi, everyone. > > >=20 > > > Here's a series of patches for GLEP 63 (key policies). The first thr= ee > > > patches are merely editorial changes. The fourth is an actual > > > recommended policy change. > > >=20 > > > The editorial changes are: > > >=20 > > > 1. Using 'OpenPGP' instead of 'GPG' where appropriate. > > >=20 > > > 2. Replacing 'RSAv4' with more correct term. > > >=20 > > > 3. Clarifying the sentence on minimal key requirement to make it clea= r > > >=20 > > > that dedicated signing subkey is also part of it. > > >=20 > > > The policy change is changing the recommendation from RSA-4096 > > > to RSA-2048. This does not require developers to reroll their RSA-40= 96 > > > keys but aims to prevent people unnecessarily replacing RSA-2048 with > > > RSA-4096. > > >=20 > > > The new recommendation matches what GnuPG FAQ suggests [1] (see 11.4, > > > 11.5). Long story short, RSA-4096 is only a little stronger than > > > RSA-2048 while it is much slower. If someone really wants to use it, > > > sure; but generally we shouldn't be encouraging people to use it. > > >=20 > > > [1]:https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 > > >=20 > > > -- > > > Best regards, > > > Micha=C5=82 G=C3=B3rny > > >=20 > > > Micha=C5=82 G=C3=B3rny (4): > > > glep-0063: Use 'OpenPGP' as appropriate > > > glep-0063: RSAv4 -> OpenPGP v4 key format > > > glep-0063: Clarify dedicated signing subkey in minimal reqs > > > glep-0063: Change the recommended RSA key size to 2048 bits > > > =20 > > > glep-0063.rst | 44 ++++++++++++++++++++++++++++---------------- > > > 1 file changed, 28 insertions(+), 16 deletions(-) > >=20 > > Patches look good to me. I think now would be a good time to address o= ther > > verbage too. e.g. recommendations should be requirements etc >=20 > To clarify. I think this patchset it good as it is. I can create a new= =20 > patchset with recommendations for the things I mentioned above. Please do. I tried to keep this to stuff that's not likely to cause much of a bikeshed because I feel like stopping to tell people to do RSA-4096 is somewhat urgent, especially now that people are being asked to update their keys all over the place. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-I5KMK+gcIaVrIqMM4ojz Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEbbsHzE8NrQbqCv5BsHoa6u+0Rk4FAls71JVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDZE QkIwN0NDNEYwREFEMDZFQTBBRkU0MUIwN0ExQUVBRUZCNDQ2NEUACgkQsHoa6u+0 Rk7AqRAAwPLZDdYZxLgJvA9mFwMAg3p7e+5zdy/vvGWg83kE+kQfdniURqHoISfU GlyYcDjBaYWlh3DHIRq+3C8ZGh2/2wePf/DiemHjTZEa7wYUM8o/shEwvV5DOS4F iYJ3CvlQ4+ldwBtc6azVQzrAzWcVj44XmNu6v3GMvp28a88QtS8omeoH8dFqKw67 3thad+TLbN4c4wU11d5F/j2pids8QbO1voyWFkf0+KO+dAgb5E/bywAQ9yQLycB5 OJ3FU1Ulgk28+3FcE2DtC6ok6RMDmGCK35D2sydYv46rZFZwXclBhrV/qfY//szy QQT7u/5Ut1MWrUuzbv7xG8apJA91HpCsop0Q9kxXadhyH3+l1U4pwx/V+KfoWLJi wEX1Zi3hrjCgMnG7by2PuJRz5EnAC6pej4W9phh0S0QkoRy9IvRhCj45WKw3Hrz6 fNyccrJVJjS6i0H/b8cUzmuVx+nf4arod2znzKyt10gkBjNCZjVNjzwrzLIqhS6Q B4GomnsL5bU4lwekp6SJ7YntFl47P4CLO9td73baB+hHAhk+YC27QVl6nVqkUw95 iGqjjha9ryJV0IbhCJBX9QsG9sMvAQ/ta2HxhwL50+pwRgLpuVtcNN1LrdfYVuYI yOyl876n4TkAu6k8aMaNGxNDNrh53lApey3ZTrIiYcyVPYfQLTI= =ATBT -----END PGP SIGNATURE----- --=-I5KMK+gcIaVrIqMM4ojz--