1 |
There is really no technical reason to use DSA these days, and we should |
2 |
focus on having a single recommendation. DSA keys are still permitted |
3 |
via 'minimal' requirements. |
4 |
--- |
5 |
glep-0063.rst | 18 ++++++++---------- |
6 |
1 file changed, 8 insertions(+), 10 deletions(-) |
7 |
|
8 |
diff --git a/glep-0063.rst b/glep-0063.rst |
9 |
index f6f2959..8c3dd1b 100644 |
10 |
--- a/glep-0063.rst |
11 |
+++ b/glep-0063.rst |
12 |
@@ -35,6 +35,9 @@ v1.1 |
13 |
|
14 |
Minimal specification has been amended to allow for ECC keys. |
15 |
|
16 |
+ The option of using DSA subkey has been removed from recommendations. |
17 |
+ The section now specifies a single recommendation of using RSA. |
18 |
+ |
19 |
Motivation |
20 |
========== |
21 |
|
22 |
@@ -125,24 +128,19 @@ their primary key). |
23 |
# when making an OpenPGP certification, use a stronger digest than the default SHA1: |
24 |
cert-digest-algo SHA256 |
25 |
|
26 |
-2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) |
27 |
- |
28 |
-3. The signing subkey of EITHER: |
29 |
- |
30 |
- a. DSA 2048 bits exactly. |
31 |
- |
32 |
- b. RSA 2048 bits exactly. |
33 |
+2. Primary key and the signing subkey are both of type RSA, 2048 bits |
34 |
+ (OpenPGP v4 key format or later) |
35 |
|
36 |
-4. Key expiry: |
37 |
+3. Key expiry: |
38 |
|
39 |
a. Primary key: 3 years maximum, expiry date renewed annually. |
40 |
|
41 |
b. Signing subkey: 1 year maximum, expiry date renewed every 6 months. |
42 |
|
43 |
-5. Create a revocation certificate & store it hardcopy offsite securely |
44 |
+4. Create a revocation certificate & store it hardcopy offsite securely |
45 |
(it's about ~300 bytes). |
46 |
|
47 |
-6. Encrypted backup of your secret keys. |
48 |
+5. Encrypted backup of your secret keys. |
49 |
|
50 |
Gentoo LDAP |
51 |
=========== |
52 |
-- |
53 |
2.18.0 |