You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Robert Burrell Donkin (JIRA)" <ji...@apache.org> on 2009/05/07 14:38:30 UTC
[jira] Created: (INFRA-2042) EOL SHA1, DSA
EOL SHA1, DSA
--------------
Key: INFRA-2042
URL: https://issues.apache.org/jira/browse/INFRA-2042
Project: Infrastructure
Issue Type: Task
Security Level: public (Regular issues)
Reporter: Robert Burrell Donkin
[PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
[1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
[2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
[3] Web Of Trust
[4] Applied Cryptography, Long Range Factor Predications
[5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: openjpa-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: lenya-rat-scan-data-2009-05-07.html
java-repository-rat-scan-data-2009-05-07.html
java-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: db-rat-scan-data-2009-05-06.html
cxf-rat-scan-data-2009-05-06.html
couchdb-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: felix-rat-scan-data-2009-05-06.html
excalibur-rat-scan-data-2009-05-06.html
directory-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-2042) EOL SHA1, DSA
Posted by "Tony Stevenson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12927440#action_12927440 ]
Tony Stevenson commented on INFRA-2042:
---------------------------------------
Robert.
Can this be closed, or better yet updated so we know the current status?
Cheers,
Tony
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Dists
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html, struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html, tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html, tomcat-rat-scan-data-2009-05-07.html, turbine-rat-scan-data-2009-05-07.html, tuscany-rat-scan-data-2009-05-07.html, velocity-rat-scan-data-2009-05-07.html, wicket-rat-scan-data-2009-05-07.html, ws-rat-scan-data-2009-05-07.html, xerces-rat-scan-data-2009-05-07.html, xml-rat-scan-data-2009-05-07.html, xmlbeans-rat-scan-data-2009-05-07.html, xmlgraphics-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: beehive-rat-scan-data-2009-05-06.html
avalon-rat-scan-data-2009-05-06.html
archiva-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: roller-rat-scan-data-2009-05-07.html
quetz-rat-scan-data-2009-05-07.html
qpid-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: spamassassin-rat-scan-data-2009-05-07.html
shale-rat-scan-data-2009-05-07.html
servicemix-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12706824#action_12706824 ]
Robert Burrell Donkin commented on INFRA-2042:
----------------------------------------------
Note that ATM attacks on SHA1 and DSA are still very, very difficult and artifacts protected by them should be considered safe for now
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: xmlgraphics-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html, struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html, tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html, tomcat-rat-scan-data-2009-05-07.html, turbine-rat-scan-data-2009-05-07.html, tuscany-rat-scan-data-2009-05-07.html, velocity-rat-scan-data-2009-05-07.html, wicket-rat-scan-data-2009-05-07.html, ws-rat-scan-data-2009-05-07.html, xerces-rat-scan-data-2009-05-07.html, xml-rat-scan-data-2009-05-07.html, xmlbeans-rat-scan-data-2009-05-07.html, xmlgraphics-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: ws-rat-scan-data-2009-05-07.html
wicket-rat-scan-data-2009-05-07.html
velocity-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html, struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html, tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html, tomcat-rat-scan-data-2009-05-07.html, turbine-rat-scan-data-2009-05-07.html, tuscany-rat-scan-data-2009-05-07.html, velocity-rat-scan-data-2009-05-07.html, wicket-rat-scan-data-2009-05-07.html, ws-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: tuscany-rat-scan-data-2009-05-07.html
turbine-rat-scan-data-2009-05-07.html
tomcat-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html, struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html, tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html, tomcat-rat-scan-data-2009-05-07.html, turbine-rat-scan-data-2009-05-07.html, tuscany-rat-scan-data-2009-05-07.html, velocity-rat-scan-data-2009-05-07.html, wicket-rat-scan-data-2009-05-07.html, ws-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: synapse-rat-scan-data-2009-05-07.html
struts-rat-scan-data-2009-05-07.html
stdcxx-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html, struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html, tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henri Yandell updated INFRA-2042:
---------------------------------
Component/s: Dists
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Components: Dists
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html, struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html, tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html, tomcat-rat-scan-data-2009-05-07.html, turbine-rat-scan-data-2009-05-07.html, tuscany-rat-scan-data-2009-05-07.html, velocity-rat-scan-data-2009-05-07.html, wicket-rat-scan-data-2009-05-07.html, ws-rat-scan-data-2009-05-07.html, xerces-rat-scan-data-2009-05-07.html, xml-rat-scan-data-2009-05-07.html, xmlbeans-rat-scan-data-2009-05-07.html, xmlgraphics-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: incubator-rat-scan-data-2009-05-07.html
ibatis-rat-scan-data-2009-05-07.html
httpd-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: james-rat-scan-data-2009-05-07.html
jakarta-rat-scan-data-2009-05-07.html
jackrabbit-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: maven-rat-scan-data-2009-05-07.html
lucene-rat-scan-data-2009-05-07.html
logging-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: xmlbeans-rat-scan-data-2009-05-07.html
xml-rat-scan-data-2009-05-07.html
xerces-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html, struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html, tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html, tomcat-rat-scan-data-2009-05-07.html, turbine-rat-scan-data-2009-05-07.html, tuscany-rat-scan-data-2009-05-07.html, velocity-rat-scan-data-2009-05-07.html, wicket-rat-scan-data-2009-05-07.html, ws-rat-scan-data-2009-05-07.html, xerces-rat-scan-data-2009-05-07.html, xml-rat-scan-data-2009-05-07.html, xmlbeans-rat-scan-data-2009-05-07.html, xmlgraphics-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: openejb-rat-scan-data-2009-05-07.html
ofbiz-rat-scan-data-2009-05-07.html
ode-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: continuum-rat-scan-data-2009-05-06.html
commons-rat-scan-data-2009-05-06.html
cocoon-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: tiles-rat-scan-data-2009-05-07.html
tcl-rat-scan-data-2009-05-07.html
tapestry-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html, qpid-rat-scan-data-2009-05-07.html, quetz-rat-scan-data-2009-05-07.html, roller-rat-scan-data-2009-05-07.html, servicemix-rat-scan-data-2009-05-07.html, shale-rat-scan-data-2009-05-07.html, spamassassin-rat-scan-data-2009-05-07.html, stdcxx-rat-scan-data-2009-05-07.html, struts-rat-scan-data-2009-05-07.html, synapse-rat-scan-data-2009-05-07.html, tapestry-rat-scan-data-2009-05-07.html, tcl-rat-scan-data-2009-05-07.html, tiles-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: myfaces-rat-scan-data-2009-05-07.html
mina-rat-scan-data-2009-05-07.html
maven-repository-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: portals-rat-scan-data-2009-05-07.html
poi-rat-scan-data-2009-05-07.html
perl-rat-scan-data-2009-05-07.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html, java-rat-scan-data-2009-05-07.html, java-repository-rat-scan-data-2009-05-07.html, lenya-rat-scan-data-2009-05-07.html, logging-rat-scan-data-2009-05-07.html, lucene-rat-scan-data-2009-05-07.html, maven-rat-scan-data-2009-05-07.html, maven-repository-rat-scan-data-2009-05-07.html, mina-rat-scan-data-2009-05-07.html, myfaces-rat-scan-data-2009-05-07.html, ode-rat-scan-data-2009-05-07.html, ofbiz-rat-scan-data-2009-05-07.html, openejb-rat-scan-data-2009-05-07.html, openjpa-rat-scan-data-2009-05-07.html, perl-rat-scan-data-2009-05-07.html, poi-rat-scan-data-2009-05-07.html, portals-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: apr-rat-scan-data-2009-05-06.html
ant-rat-scan-data-2009-05-06.html
activemq-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12706826#action_12706826 ]
Robert Burrell Donkin commented on INFRA-2042:
----------------------------------------------
Just in case a credible attack turns up in the next few weeks, I've run baseline hashes on archive.apache.org. The results will be attached.
Scan (https://svn.apache.org/repos/asf/incubator/rat/scan/trunk) can perform diffs to discover any changes if required in future. However, it would be also be worthwhile talking to Henk about moving his data base to SHA512.
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: httpcomponents-rat-scan-data-2009-05-06.html
hivemind-rat-scan-data-2009-05-06.html
harmony-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html, harmony-rat-scan-data-2009-05-06.html, hivemind-rat-scan-data-2009-05-06.html, httpcomponents-rat-scan-data-2009-05-06.html, httpd-rat-scan-data-2009-05-06.html, ibatis-rat-scan-data-2009-05-07.html, incubator-rat-scan-data-2009-05-07.html, jackrabbit-rat-scan-data-2009-05-07.html, jakarta-rat-scan-data-2009-05-07.html, james-rat-scan-data-2009-05-07.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: cayenne-rat-scan-data-2009-05-06.html
camel-rat-scan-data-2009-05-06.html
buildr-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
Posted by "Robert Burrell Donkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: hadoop-rat-scan-data-2009-05-06.html
geronimo-rat-scan-data-2009-05-06.html
forrest-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html, buildr-rat-scan-data-2009-05-06.html, camel-rat-scan-data-2009-05-06.html, cayenne-rat-scan-data-2009-05-06.html, cocoon-rat-scan-data-2009-05-06.html, commons-rat-scan-data-2009-05-06.html, continuum-rat-scan-data-2009-05-06.html, couchdb-rat-scan-data-2009-05-06.html, cxf-rat-scan-data-2009-05-06.html, db-rat-scan-data-2009-05-06.html, directory-rat-scan-data-2009-05-06.html, excalibur-rat-scan-data-2009-05-06.html, felix-rat-scan-data-2009-05-06.html, forrest-rat-scan-data-2009-05-06.html, geronimo-rat-scan-data-2009-05-06.html, hadoop-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.