summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichał Górny <mgorny@gentoo.org>2018-07-04 11:55:09 +0200
committerMichał Górny <mgorny@gentoo.org>2018-07-29 22:07:26 +0200
commit053bd57e619706ddd0967d181daea8fbfa37d1d6 (patch)
treef477dfa7cdce457d51cff24c32a1350c558d394e
parentglep-0063: Allow ECC curve 25519 keys (diff)
downloadglep-053bd57e619706ddd0967d181daea8fbfa37d1d6.tar.gz
glep-053bd57e619706ddd0967d181daea8fbfa37d1d6.tar.bz2
glep-053bd57e619706ddd0967d181daea8fbfa37d1d6.zip
glep-0063: Stop recommending DSA subkeys
There is really no technical reason to use DSA these days, and we should focus on having a single recommendation. DSA keys are still permitted via 'minimal' requirements.
-rw-r--r--glep-0063.rst18
1 files changed, 8 insertions, 10 deletions
diff --git a/glep-0063.rst b/glep-0063.rst
index 2402c34..7f870bb 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -36,6 +36,9 @@ v1.1
Minimal specification has been amended to allow for ECC keys.
+ The option of using DSA subkey has been removed from recommendations.
+ The section now specifies a single recommendation of using RSA.
+
Motivation
==========
@@ -126,24 +129,19 @@ their primary key).
# when making an OpenPGP certification, use a stronger digest than the default SHA1:
cert-digest-algo SHA256
-2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later)
-
-3. The signing subkey of EITHER:
-
- a. DSA 2048 bits exactly.
-
- b. RSA 2048 bits exactly.
+2. Primary key and the signing subkey are both of type RSA, 2048 bits
+ (OpenPGP v4 key format or later)
-4. Key expiry:
+3. Key expiry:
a. Primary key: 3 years maximum, expiry date renewed annually.
b. Signing subkey: 1 year maximum, expiry date renewed every 6 months.
-5. Create a revocation certificate & store it hardcopy offsite securely
+4. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
-6. Encrypted backup of your secret keys.
+5. Encrypted backup of your secret keys.
Gentoo LDAP
===========