| 1 |
W dniu wto, 03.07.2018 o godzinie 12∶42 -0400, użytkownik Aaron Bauman |
| 2 |
napisał: |
| 3 |
> On Tuesday, July 3, 2018 12:40:57 PM EDT Aaron Bauman wrote: |
| 4 |
> > On Tuesday, July 3, 2018 9:29:53 AM EDT Michał Górny wrote: |
| 5 |
> > > Hi, everyone. |
| 6 |
> > > |
| 7 |
> > > Here's a series of patches for GLEP 63 (key policies). The first three |
| 8 |
> > > patches are merely editorial changes. The fourth is an actual |
| 9 |
> > > recommended policy change. |
| 10 |
> > > |
| 11 |
> > > The editorial changes are: |
| 12 |
> > > |
| 13 |
> > > 1. Using 'OpenPGP' instead of 'GPG' where appropriate. |
| 14 |
> > > |
| 15 |
> > > 2. Replacing 'RSAv4' with more correct term. |
| 16 |
> > > |
| 17 |
> > > 3. Clarifying the sentence on minimal key requirement to make it clear |
| 18 |
> > > |
| 19 |
> > > that dedicated signing subkey is also part of it. |
| 20 |
> > > |
| 21 |
> > > The policy change is changing the recommendation from RSA-4096 |
| 22 |
> > > to RSA-2048. This does not require developers to reroll their RSA-4096 |
| 23 |
> > > keys but aims to prevent people unnecessarily replacing RSA-2048 with |
| 24 |
> > > RSA-4096. |
| 25 |
> > > |
| 26 |
> > > The new recommendation matches what GnuPG FAQ suggests [1] (see 11.4, |
| 27 |
> > > 11.5). Long story short, RSA-4096 is only a little stronger than |
| 28 |
> > > RSA-2048 while it is much slower. If someone really wants to use it, |
| 29 |
> > > sure; but generally we shouldn't be encouraging people to use it. |
| 30 |
> > > |
| 31 |
> > > [1]:https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 |
| 32 |
> > > |
| 33 |
> > > -- |
| 34 |
> > > Best regards, |
| 35 |
> > > Michał Górny |
| 36 |
> > > |
| 37 |
> > > Michał Górny (4): |
| 38 |
> > > glep-0063: Use 'OpenPGP' as appropriate |
| 39 |
> > > glep-0063: RSAv4 -> OpenPGP v4 key format |
| 40 |
> > > glep-0063: Clarify dedicated signing subkey in minimal reqs |
| 41 |
> > > glep-0063: Change the recommended RSA key size to 2048 bits |
| 42 |
> > > |
| 43 |
> > > glep-0063.rst | 44 ++++++++++++++++++++++++++++---------------- |
| 44 |
> > > 1 file changed, 28 insertions(+), 16 deletions(-) |
| 45 |
> > |
| 46 |
> > Patches look good to me. I think now would be a good time to address other |
| 47 |
> > verbage too. e.g. recommendations should be requirements etc |
| 48 |
> |
| 49 |
> To clarify. I think this patchset it good as it is. I can create a new |
| 50 |
> patchset with recommendations for the things I mentioned above. |
| 51 |
|
| 52 |
Please do. I tried to keep this to stuff that's not likely to cause |
| 53 |
much of a bikeshed because I feel like stopping to tell people to do |
| 54 |
RSA-4096 is somewhat urgent, especially now that people are being asked |
| 55 |
to update their keys all over the place. |
| 56 |
|
| 57 |
-- |
| 58 |
Best regards, |
| 59 |
Michał Górny |
Archives