X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 0A749DC01C6 for ; Mon, 24 Nov 2014 06:19:50 +0000 (UTC) Received: by mail-la0-f42.google.com with SMTP id s18so7121938lam.29 for ; Sun, 23 Nov 2014 22:19:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; bh=ICe0IY9tTZk7tBh8o1XwV4v+fSrVgHZCjkJCrWSK5mY=; b=ll6LkG+DSuIJQO5eNFLO19H6OwgAL64eSRG5jH3+PzqaWP4Myw1MZLGwmda37TvfNF Ywhwa4I/BWwMGl0hOaOIfrXOdYs9mPR0UNEsBZ1obxOAU2EmQEqL3Xv1j6HI9iSMyfLR UEN/Eavzsx0399hN1heRvBwd2JK48hrkXPIglnpPe0gUjC/TwXNrOYHsx5FLk5yBLrRG +1wD2CBei51F0HyWDTEW+fbDki8f4HfggeNG2Ph5EqlcbZD7by3Ev2vHbCgUkVMCPUoG RpQPnpjZLOHCpqcN/yem7qx8q1BywUwUZFZlq0jopr9K0E+SYHriN8YoXGPrGV5zqNhL EwQw== X-Received: by 10.112.45.228 with SMTP id q4mr18775839lbm.35.1416809989165; Sun, 23 Nov 2014 22:19:49 -0800 (PST) Received: from vostro ([83.145.235.199]) by mx.google.com with ESMTPSA id m3sm3286043laa.10.2014.11.23.22.19.47 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Nov 2014 22:19:48 -0800 (PST) Sender: =?UTF-8?Q?Timo_Ter=C3=A4s?= Date: Mon, 24 Nov 2014 08:19:02 +0200 From: Timo Teras To: Orion Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] APK Key Size - Request to move from 1024 to 2048 Message-ID: <20141124081902.7581aa35@vostro> In-Reply-To: <20141123215745.372787f1@twinpeaks.my.domain> References: <20141122031340.4fb94395@twinpeaks.my.domain> <20141123124614.1fde186c@vostro> <20141123215745.372787f1@twinpeaks.my.domain> X-Mailer: Claws Mail 3.11.0 (GTK+ 2.24.23; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sun, 23 Nov 2014 21:57:45 -0800 Orion wrote: > > Though, it would be probably good time to start doing EC-DSA > > signatures soon. Should probably be a target for alpine-3.2. > > Sounds like a good idea to me. Is there any given best practices for > EC-DSA and signing? There are several. I would probably just go ahead using the openssl the same way as for RSA. That is to generate ASN1 encoded raw signatures. For other parameters, I'm considering to use the NIST standard curves . Ed25519/Curve25519 would be interesting, but seems openssl (at least any release version) does not support it yet. The recommended combinations for interoperability seem to be (in PGP, SSL/TLS, CMS, IKEv2 and other standards): EC NIST P-256 (equals ~3072 RSA), SHA2-256, AES-128 EC NIST P-384 (equals ~7680 RSA), SHA2-348, AES-192 EC NIST P-521 (equals ~15360 RSA), SHA2-512, AES-256 In our case it's signatures, so just picking a curve + digest would do. Of these P256 is usually MUST, P521 is SHOULD, and P384 is MAY. So I'm thinking on going with P256 + SHA2-256 as next step. > Also I still can't find the signatures for the ISO releases or a > signature of the hashes. Unfortunately no. This is something we should do (or more like, should have been doing for a long time). I think doing detached PGP-signatures like others would be the way to go. ncopa, any thoughts? /Timo --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---