1 |
commit: 053bd57e619706ddd0967d181daea8fbfa37d1d6 |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Jul 4 09:55:09 2018 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jul 29 20:07:26 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=053bd57e |
7 |
|
8 |
glep-0063: Stop recommending DSA subkeys |
9 |
|
10 |
There is really no technical reason to use DSA these days, and we should |
11 |
focus on having a single recommendation. DSA keys are still permitted |
12 |
via 'minimal' requirements. |
13 |
|
14 |
glep-0063.rst | 18 ++++++++---------- |
15 |
1 file changed, 8 insertions(+), 10 deletions(-) |
16 |
|
17 |
diff --git a/glep-0063.rst b/glep-0063.rst |
18 |
index 2402c34..7f870bb 100644 |
19 |
--- a/glep-0063.rst |
20 |
+++ b/glep-0063.rst |
21 |
@@ -36,6 +36,9 @@ v1.1 |
22 |
|
23 |
Minimal specification has been amended to allow for ECC keys. |
24 |
|
25 |
+ The option of using DSA subkey has been removed from recommendations. |
26 |
+ The section now specifies a single recommendation of using RSA. |
27 |
+ |
28 |
Motivation |
29 |
========== |
30 |
|
31 |
@@ -126,24 +129,19 @@ their primary key). |
32 |
# when making an OpenPGP certification, use a stronger digest than the default SHA1: |
33 |
cert-digest-algo SHA256 |
34 |
|
35 |
-2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) |
36 |
- |
37 |
-3. The signing subkey of EITHER: |
38 |
- |
39 |
- a. DSA 2048 bits exactly. |
40 |
- |
41 |
- b. RSA 2048 bits exactly. |
42 |
+2. Primary key and the signing subkey are both of type RSA, 2048 bits |
43 |
+ (OpenPGP v4 key format or later) |
44 |
|
45 |
-4. Key expiry: |
46 |
+3. Key expiry: |
47 |
|
48 |
a. Primary key: 3 years maximum, expiry date renewed annually. |
49 |
|
50 |
b. Signing subkey: 1 year maximum, expiry date renewed every 6 months. |
51 |
|
52 |
-5. Create a revocation certificate & store it hardcopy offsite securely |
53 |
+4. Create a revocation certificate & store it hardcopy offsite securely |
54 |
(it's about ~300 bytes). |
55 |
|
56 |
-6. Encrypted backup of your secret keys. |
57 |
+5. Encrypted backup of your secret keys. |
58 |
|
59 |
Gentoo LDAP |
60 |
=========== |