> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> NIST advises [1] that SHA1 should be EOL'd by the end of 2010. Recent
> research[2] has revealed vulnerabilities in SHA1.
>
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a
> 1024bit key length. This is considered too short[4] now with 4096 bits
> being better but 8192 preferrable. Most digital signatures - including
> many of those which secure the WOT[3] and Apache releases- use SHA1 and
> DSA keys.
>
> Debian are preparing to start transitioning away from DSA and SHA1[5]
> towards longer keys. IMO Apache should think about how to do the same.
>
> opinions?
>
> some particular issues for apache:
>
> * we ask for MD5 and SHA1 hashes, both of which now have known
> vulnerabilities
> * by end of 2010, keys of 1024 bits should no longer be considered
> secure and will need to be revoked
> * by end of 2010, all WOT links signed using SHA1 should be considered
> insecure (and that's most of them)
> * by end of 2010, signatures by 1024 bit keys should no longer be
> considered secure and many of the keys that made them will have been revoked
>
> i've started an issue[6] to track any actions apache needs to take. this
> also has attached the results of a baseline scan i ran against
> archive.apache.org.
>
> - - robert
>
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See
> http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
> [6] https://issues.apache.org/jira/browse/INFRA-2042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkoC4BAACgkQQ617goCdfgNiuQCeLgbNoo82v+AFTLp3YD9DbKPD
> OX8AoKcto++UaybAtNr4Tt3F+CH5J1iW
> =StHh
> -----END PGP SIGNATURE-----
>