1 |
There is really no technical reason to use DSA these days, and we should |
2 |
focus on having a single recommendation. DSA keys are still permitted |
3 |
via 'minimal' requirements. |
4 |
--- |
5 |
glep-0063.rst | 20 ++++++++------------ |
6 |
1 file changed, 8 insertions(+), 12 deletions(-) |
7 |
|
8 |
diff --git a/glep-0063.rst b/glep-0063.rst |
9 |
index ab7cb79..e81c862 100644 |
10 |
--- a/glep-0063.rst |
11 |
+++ b/glep-0063.rst |
12 |
@@ -35,6 +35,9 @@ v1.1 |
13 |
|
14 |
Minimal specification has been amended to allow for ECC keys. |
15 |
|
16 |
+ The option of using DSA subkey has been removed from recommendations. |
17 |
+ The section now specifies a single recommendation of using RSA. |
18 |
+ |
19 |
Motivation |
20 |
========== |
21 |
|
22 |
@@ -122,26 +125,19 @@ their primary key). |
23 |
# when making an OpenPGP certification, use a stronger digest than the default SHA1: |
24 |
cert-digest-algo SHA256 |
25 |
|
26 |
-2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) |
27 |
- |
28 |
- This may require creating an entirely new key. |
29 |
- |
30 |
-3. Dedicated signing subkey of EITHER: |
31 |
- |
32 |
- a. DSA 2048 bits exactly. |
33 |
- |
34 |
- b. RSA 2048 bits exactly. |
35 |
+2. Primary key and a dedicated signing subkey, both of type RSA, 2048 bits |
36 |
+ (OpenPGP v4 key format or later) |
37 |
|
38 |
-4. Key expiry: |
39 |
+3. Key expiry: |
40 |
|
41 |
a. Primary key: 3 years maximum, expiry date renewed annually. |
42 |
|
43 |
b. Gentoo subkey: 1 year maximum, expiry date renewed every 6 months. |
44 |
|
45 |
-5. Create a revocation certificate & store it hardcopy offsite securely |
46 |
+4. Create a revocation certificate & store it hardcopy offsite securely |
47 |
(it's about ~300 bytes). |
48 |
|
49 |
-6. Encrypted backup of your secret keys. |
50 |
+5. Encrypted backup of your secret keys. |
51 |
|
52 |
Gentoo LDAP |
53 |
=========== |
54 |
-- |
55 |
2.18.0 |