Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: robbat2@g.o, "Michał Górny" <mgorny@g.o>
Subject: [gentoo-dev] [PATCH v5 09/16] glep-0063: Stop recommending DSA subkeys
Date: Sun, 08 Jul 2018 18:43:13
Message-Id: 20180708183902.30367-10-mgorny@gentoo.org
In Reply to: [gentoo-dev] [PATCH v5 00/16] GLEP 63, once again by "Michał Górny"
1 There is really no technical reason to use DSA these days, and we should
2 focus on having a single recommendation. DSA keys are still permitted
3 via 'minimal' requirements.
4 ---
5 glep-0063.rst | 18 ++++++++----------
6 1 file changed, 8 insertions(+), 10 deletions(-)
7
8 diff --git a/glep-0063.rst b/glep-0063.rst
9 index 2402c34..7f870bb 100644
10 --- a/glep-0063.rst
11 +++ b/glep-0063.rst
12 @@ -36,6 +36,9 @@ v1.1
13
14 Minimal specification has been amended to allow for ECC keys.
15
16 + The option of using DSA subkey has been removed from recommendations.
17 + The section now specifies a single recommendation of using RSA.
18 +
19 Motivation
20 ==========
21
22 @@ -126,24 +129,19 @@ their primary key).
23 # when making an OpenPGP certification, use a stronger digest than the default SHA1:
24 cert-digest-algo SHA256
25
26 -2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later)
27 -
28 -3. The signing subkey of EITHER:
29 -
30 - a. DSA 2048 bits exactly.
31 -
32 - b. RSA 2048 bits exactly.
33 +2. Primary key and the signing subkey are both of type RSA, 2048 bits
34 + (OpenPGP v4 key format or later)
35
36 -4. Key expiry:
37 +3. Key expiry:
38
39 a. Primary key: 3 years maximum, expiry date renewed annually.
40
41 b. Signing subkey: 1 year maximum, expiry date renewed every 6 months.
42
43 -5. Create a revocation certificate & store it hardcopy offsite securely
44 +4. Create a revocation certificate & store it hardcopy offsite securely
45 (it's about ~300 bytes).
46
47 -6. Encrypted backup of your secret keys.
48 +5. Encrypted backup of your secret keys.
49
50 Gentoo LDAP
51 ===========
52 --
53 2.18.0