On Tuesday, July 3, 2018 12:40:57 PM EDT Aaron Bauman wrote:
> On Tuesday, July 3, 2018 9:29:53 AM EDT Michał Górny wrote:
> > Hi, everyone.
> > 
> > Here's a series of patches for GLEP 63 (key policies).  The first three
> > patches are merely editorial changes.  The fourth is an actual
> > recommended policy change.
> > 
> > The editorial changes are:
> > 
> > 1. Using 'OpenPGP' instead of 'GPG' where appropriate.
> > 
> > 2. Replacing 'RSAv4' with more correct term.
> > 
> > 3. Clarifying the sentence on minimal key requirement to make it clear
> > 
> >    that dedicated signing subkey is also part of it.
> > 
> > The policy change is changing the recommendation from RSA-4096
> > to RSA-2048.  This does not require developers to reroll their RSA-4096
> > keys but aims to prevent people unnecessarily replacing RSA-2048 with
> > RSA-4096.
> > 
> > The new recommendation matches what GnuPG FAQ suggests [1] (see 11.4,
> > 11.5).  Long story short, RSA-4096 is only a little stronger than
> > RSA-2048 while it is much slower.  If someone really wants to use it,
> > sure; but generally we shouldn't be encouraging people to use it.
> > 
> > [1]:https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096
> > 
> > --
> > Best regards,
> > Michał Górny
> > 
> > Michał Górny (4):
> >   glep-0063: Use 'OpenPGP' as appropriate
> >   glep-0063: RSAv4 -> OpenPGP v4 key format
> >   glep-0063: Clarify dedicated signing subkey in minimal reqs
> >   glep-0063: Change the recommended RSA key size to 2048 bits
> >  
> >  glep-0063.rst | 44 ++++++++++++++++++++++++++++----------------
> >  1 file changed, 28 insertions(+), 16 deletions(-)
> 
> Patches look good to me.  I think now would be a good time to address other
> verbage too.  e.g. recommendations should be requirements etc

To clarify.  I think this patchset it good as it is.  I can create a new 
patchset with recommendations for the things I mentioned above.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to