W dniu wto, 03.07.2018 o godzinie 12∶42 -0400, użytkownik Aaron Bauman napisał: > On Tuesday, July 3, 2018 12:40:57 PM EDT Aaron Bauman wrote: > > On Tuesday, July 3, 2018 9:29:53 AM EDT Michał Górny wrote: > > > Hi, everyone. > > > > > > Here's a series of patches for GLEP 63 (key policies). The first three > > > patches are merely editorial changes. The fourth is an actual > > > recommended policy change. > > > > > > The editorial changes are: > > > > > > 1. Using 'OpenPGP' instead of 'GPG' where appropriate. > > > > > > 2. Replacing 'RSAv4' with more correct term. > > > > > > 3. Clarifying the sentence on minimal key requirement to make it clear > > > > > > that dedicated signing subkey is also part of it. > > > > > > The policy change is changing the recommendation from RSA-4096 > > > to RSA-2048. This does not require developers to reroll their RSA-4096 > > > keys but aims to prevent people unnecessarily replacing RSA-2048 with > > > RSA-4096. > > > > > > The new recommendation matches what GnuPG FAQ suggests [1] (see 11.4, > > > 11.5). Long story short, RSA-4096 is only a little stronger than > > > RSA-2048 while it is much slower. If someone really wants to use it, > > > sure; but generally we shouldn't be encouraging people to use it. > > > > > > [1]:https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 > > > > > > -- > > > Best regards, > > > Michał Górny > > > > > > Michał Górny (4): > > > glep-0063: Use 'OpenPGP' as appropriate > > > glep-0063: RSAv4 -> OpenPGP v4 key format > > > glep-0063: Clarify dedicated signing subkey in minimal reqs > > > glep-0063: Change the recommended RSA key size to 2048 bits > > > > > > glep-0063.rst | 44 ++++++++++++++++++++++++++++---------------- > > > 1 file changed, 28 insertions(+), 16 deletions(-) > > > > Patches look good to me. I think now would be a good time to address other > > verbage too. e.g. recommendations should be requirements etc > > To clarify. I think this patchset it good as it is. I can create a new > patchset with recommendations for the things I mentioned above.
Please do. I tried to keep this to stuff that's not likely to cause much of a bikeshed because I feel like stopping to tell people to do RSA-4096 is somewhat urgent, especially now that people are being asked to update their keys all over the place. -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
