You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Robert Burrell Donkin (JIRA)" <ji...@apache.org> on 2009/05/07 14:44:30 UTC
[jira] Updated: (INFRA-2042) EOL SHA1, DSA
[ https://issues.apache.org/jira/browse/INFRA-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Burrell Donkin updated INFRA-2042:
-----------------------------------------
Attachment: apr-rat-scan-data-2009-05-06.html
ant-rat-scan-data-2009-05-06.html
activemq-rat-scan-data-2009-05-06.html
Scan results for achive.apache.org
> EOL SHA1, DSA
> --------------
>
> Key: INFRA-2042
> URL: https://issues.apache.org/jira/browse/INFRA-2042
> Project: Infrastructure
> Issue Type: Task
> Security Level: public(Regular issues)
> Reporter: Robert Burrell Donkin
> Attachments: activemq-rat-scan-data-2009-05-06.html, ant-rat-scan-data-2009-05-06.html, apr-rat-scan-data-2009-05-06.html, archiva-rat-scan-data-2009-05-06.html, avalon-rat-scan-data-2009-05-06.html, beehive-rat-scan-data-2009-05-06.html
>
>
> [PLEASE LEAVE OPEN FOR LONG TERM TRACKING]
> NIST advises [1] SHA1 has been scheduled for EOL in 2010. Recent research[2] has revealed new vulnerabilities in SHA1.
> DSA requires a 160bit hash with SHA1 the most common choice. DSA has a 1024bit key length. This is considered too short[4] with 4096 bits being better but 8192 preferrable. Most digital signatures - including many of those which secure the WOT[3] and Apache releases- use SHA1 and SDA.
> Debian are preparing to start transitioning away from DSA and SHA1[5]. Apache should think about how to do the same.
> [1] See http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf
> [2] See http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> [3] Web Of Trust
> [4] Applied Cryptography, Long Range Factor Predications
> [5] http://www.debian-administration.org/users/dkg/weblog/48
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.