From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 984C0138334 for ; Tue, 3 Jul 2018 16:42:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AD127E0B15; Tue, 3 Jul 2018 16:42:31 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 38B46E0B04 for ; Tue, 3 Jul 2018 16:42:31 +0000 (UTC) Received: from monkey.localnet (pool-71-163-21-11.washdc.fios.verizon.net [71.163.21.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id A455E335CA9 for ; Tue, 3 Jul 2018 16:42:28 +0000 (UTC) From: Aaron Bauman To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH 0/4] GLEP 63: clean up, and reduce key size to RSA-2048 Date: Tue, 03 Jul 2018 12:42:26 -0400 Message-ID: <9950822.7ybtiaU7av@monkey> In-Reply-To: <5401190.UbGu1mLZpO@monkey> References: <20180703132957.29200-1-mgorny@gentoo.org> <5401190.UbGu1mLZpO@monkey> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1773003.fOztjdJDiD"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 9461e2a1-eaac-4d65-8d6f-13e5a127eed6 X-Archives-Hash: fd132109d7b076f3324ac644817cefc9 --nextPart1773003.fOztjdJDiD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" On Tuesday, July 3, 2018 12:40:57 PM EDT Aaron Bauman wrote: > On Tuesday, July 3, 2018 9:29:53 AM EDT Micha=C5=82 G=C3=B3rny wrote: > > Hi, everyone. > >=20 > > Here's a series of patches for GLEP 63 (key policies). The first three > > patches are merely editorial changes. The fourth is an actual > > recommended policy change. > >=20 > > The editorial changes are: > >=20 > > 1. Using 'OpenPGP' instead of 'GPG' where appropriate. > >=20 > > 2. Replacing 'RSAv4' with more correct term. > >=20 > > 3. Clarifying the sentence on minimal key requirement to make it clear > >=20 > > that dedicated signing subkey is also part of it. > >=20 > > The policy change is changing the recommendation from RSA-4096 > > to RSA-2048. This does not require developers to reroll their RSA-4096 > > keys but aims to prevent people unnecessarily replacing RSA-2048 with > > RSA-4096. > >=20 > > The new recommendation matches what GnuPG FAQ suggests [1] (see 11.4, > > 11.5). Long story short, RSA-4096 is only a little stronger than > > RSA-2048 while it is much slower. If someone really wants to use it, > > sure; but generally we shouldn't be encouraging people to use it. > >=20 > > [1]:https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 > >=20 > > -- > > Best regards, > > Micha=C5=82 G=C3=B3rny > >=20 > > Micha=C5=82 G=C3=B3rny (4): > > glep-0063: Use 'OpenPGP' as appropriate > > glep-0063: RSAv4 -> OpenPGP v4 key format > > glep-0063: Clarify dedicated signing subkey in minimal reqs > > glep-0063: Change the recommended RSA key size to 2048 bits > > =20 > > glep-0063.rst | 44 ++++++++++++++++++++++++++++---------------- > > 1 file changed, 28 insertions(+), 16 deletions(-) >=20 > Patches look good to me. I think now would be a good time to address oth= er > verbage too. e.g. recommendations should be requirements etc To clarify. I think this patchset it good as it is. I can create a new=20 patchset with recommendations for the things I mentioned above. --nextPart1773003.fOztjdJDiD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAls7p3IACgkQpRQw84X1 dt3xhAf8CeLtue8fbHhfZctxVLAoH2CurfBwtxZJFblWSQP6zQFZfbk0hbHb9XB0 6xKhFys2keLiRORgbI3LWtInGRkJpqtvI7a7xehydypIRAT6MED8rwQ1K5jJKjLl BAsJ4pPXvtFVLEfT8Pn7Ks5iHgksGI29P2uWkOynokwbKlxvBIXLF6LK5C45yL2Z 0tZBkEw4yVn1F4HLYzV5ldnnQGytyNQib8DObneUev3QoxcS38MBoitCCCnd8NZU L2GVctUpRPdgtUzXws9FLlZ1EuZ7GIDgde/XrTBwXZyj32pkXd1PoZnCCD5AF4D4 SUgU3xUwRNbVJctJVkUGei2GeL+j5w== =u2BF -----END PGP SIGNATURE----- --nextPart1773003.fOztjdJDiD--