[OpenAFS] AFS/Kerberos Workshop key signing
Sat, 09 May 2009 14:13:34 -0700
For those of you who are coming to the 2009 AFS and Kerberos Best
Practices Workshop  who use PGP and who have an older key, you may
want to start thinking about generating a new PGP key in advance of the
workshop and then introducing it at a key signing there.
If you haven't been following the recent security news, a significant
new attack on SHA-1 was revealed at EuroCrypt this year, weakening its
protection against hash collisions to 2^52 from 2^63. All 1024-bit DSA
GnuPG keys can only use a 160-bit hash, normally SHA-1. You can set
your key preferences to use a different hash, but it still truncates to
160 bits. See:
Also, SHA-1 and 1024-bit DSA is already not recommended for use after
2010 by the US government even before this attack.
So, if you have a 1024-bit DSA key or something older, it's probably
time to introduce a new key and be sure the key preferences are set to
use SHA-2 hashes. I plan on going straight to 4096-bit RSA; I don't see
any reason not to.
It's a lot easier to introduce a new key at a conference where you can
immediately do a key signing, so this might be a good opportunity for a
lot of us.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>