diff options
author | Michał Górny <mgorny@gentoo.org> | 2018-07-04 11:55:09 +0200 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2018-07-29 22:07:26 +0200 |
commit | 053bd57e619706ddd0967d181daea8fbfa37d1d6 (patch) | |
tree | f477dfa7cdce457d51cff24c32a1350c558d394e | |
parent | glep-0063: Allow ECC curve 25519 keys (diff) | |
download | glep-053bd57e619706ddd0967d181daea8fbfa37d1d6.tar.gz glep-053bd57e619706ddd0967d181daea8fbfa37d1d6.tar.bz2 glep-053bd57e619706ddd0967d181daea8fbfa37d1d6.zip |
glep-0063: Stop recommending DSA subkeys
There is really no technical reason to use DSA these days, and we should
focus on having a single recommendation. DSA keys are still permitted
via 'minimal' requirements.
-rw-r--r-- | glep-0063.rst | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/glep-0063.rst b/glep-0063.rst index 2402c34..7f870bb 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -36,6 +36,9 @@ v1.1 Minimal specification has been amended to allow for ECC keys. + The option of using DSA subkey has been removed from recommendations. + The section now specifies a single recommendation of using RSA. + Motivation ========== @@ -126,24 +129,19 @@ their primary key). # when making an OpenPGP certification, use a stronger digest than the default SHA1: cert-digest-algo SHA256 -2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) - -3. The signing subkey of EITHER: - - a. DSA 2048 bits exactly. - - b. RSA 2048 bits exactly. +2. Primary key and the signing subkey are both of type RSA, 2048 bits + (OpenPGP v4 key format or later) -4. Key expiry: +3. Key expiry: a. Primary key: 3 years maximum, expiry date renewed annually. b. Signing subkey: 1 year maximum, expiry date renewed every 6 months. -5. Create a revocation certificate & store it hardcopy offsite securely +4. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes). -6. Encrypted backup of your secret keys. +5. Encrypted backup of your secret keys. Gentoo LDAP =========== |