Security/Guidelines/Key Management: Difference between revisions

Jump to navigation Jump to search

Security/Guidelines/Key Management (view source)

Revision as of 22:01, 23 October 2014

206 bytes removed ,  23 October 2014
Algorithm choice
No edit summary
(Algorithm choice)
Line 151: Line 151:
[...]
[...]
</source>
</source>
As PGP keys are rarely renewed the minimum recommended settings are higher than other keys. If you follow a strict key renewal period of '''less than 2 years''', it is reasonable to use RSA 2048 bits or ECDSA 224 bits keys.


=== Protection of user keys ===
=== Protection of user keys ===
Line 161: Line 163:


Usage of machine keys should be registered in an inventory (a wiki page, LDAP, an inventory database), to allow for rapid auditing of key usage across an infrastructure.  
Usage of machine keys should be registered in an inventory (a wiki page, LDAP, an inventory database), to allow for rapid auditing of key usage across an infrastructure.  
=== Choice of algorithm ===
* Do not use DSA keys. These use a deprecated 160 bits SHA1 hash (see http://csrc.nist.gov/groups/ST/hash/statement.html, http://lwn.net/Articles/337745/, http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036415.html).
* DSA2 keys are only supported by specific PGP implementations.
* ECDSA keys are more and more common, albeit will not work on older systems/software.
* RSA keys work everywhere.


=== Expiration of keys ===
=== Expiration of keys ===
Gdestuynder
Confirmed users
502

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1027760"

Navigation menu