From owner-freebsd-current@freebsd.org Fri Aug 5 08:48:20 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BD94BAE485 for ; Fri, 5 Aug 2016 08:48:20 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EFC2F11DE for ; Fri, 5 Aug 2016 08:48:19 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id EC57B8E85 for ; Fri, 5 Aug 2016 08:48:14 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201601-infracaninophile; t=1470386895; bh=UYoq3ALLgbwPKOvZ+lhzRzXQorXi7UWYVPfM3DsUDLc=; h=Subject:To:References:From:Date:In-Reply-To; z=Subject:=20Re:=20HEADS-UP:=20OpenSSH=20DSA=20keys=20are=20depreca ted=20in=2012.0=20and=2011.0|To:=20freebsd-current@freebsd.org|Ref erences:=20<20160805015918.GI43509@FreeBSD.org>=0D=0A=20<201608050 20950.GJ43509@FreeBSD.org>|From:=20Matthew=20Seaman=20|Date:=20Fri,=205=20Aug=202016=2009:48:02=20+ 0100|In-Reply-To:=20<20160805020950.GJ43509@FreeBSD.org>; b=dZO5pXxfWbM0CF5pFIK8B1rAi29tj25qPWQMpWneHqa/NZA6tHT4Nzb8aBdH0dBUp FCYk1/43jRPWEmFYaqB1Plmh1wyLYT4Wzc6vW18nt+q7lFscqly6UovjMVm3OmlC29 U2yUdFczrlZ1oZCv5JwGX4qXbt81ftamxCKVH4Kk= Subject: Re: HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 To: freebsd-current@freebsd.org References: <20160805015918.GI43509@FreeBSD.org> <20160805020950.GJ43509@FreeBSD.org> From: Matthew Seaman Message-ID: <688e5574-10e3-05a6-3346-6ad8150c998b@infracaninophile.co.uk> Date: Fri, 5 Aug 2016 09:48:02 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160805020950.GJ43509@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="WKsnPtME8PjevS7v1cSVPoaNErM8fesnu" X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RDNS_NONE,SPF_FAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 08:48:20 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --WKsnPtME8PjevS7v1cSVPoaNErM8fesnu Content-Type: multipart/mixed; boundary="I37ufUA64XKIENJMpQcNXMgkgjTioFc1f" From: Matthew Seaman To: freebsd-current@freebsd.org Message-ID: <688e5574-10e3-05a6-3346-6ad8150c998b@infracaninophile.co.uk> Subject: Re: HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 References: <20160805015918.GI43509@FreeBSD.org> <20160805020950.GJ43509@FreeBSD.org> In-Reply-To: <20160805020950.GJ43509@FreeBSD.org> --I37ufUA64XKIENJMpQcNXMgkgjTioFc1f Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 08/05/16 03:09, Glen Barber wrote: > On Fri, Aug 05, 2016 at 01:59:18AM +0000, Glen Barber wrote: >> This is a heads-up that OpenSSH keys are deprecated upstream by OpenSS= H, >> and will be deprecated effective 11.0-RELEASE (and preceeding RCs). >> >=20 > Stupid editor mistake. OpenSSH DSA keys are deprecated upstream. Sorr= y > for any confusion. >=20 >> Please see r303716 for details on the relevant commit, but upstream no= >> longer considers them secure. Please replace DSA keys with ECDSA or R= SA I believe ED25519 keys are also a preferred type. >> keys as soon as possible, otherwise there will be issues when upgradin= g >> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the >> 11.0-RELEASE build. >> >=20 > Glen > On behalf of: re@ and secteam@ >=20 Cheers, Matthew --I37ufUA64XKIENJMpQcNXMgkgjTioFc1f-- --WKsnPtME8PjevS7v1cSVPoaNErM8fesnu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXpFLJAAoJEABRPxDgqeTnJv4QAIWmYUtJnkQD9J94qqZqRlCq GQWKO2QmhSPej3NPwhmACY43CYXUSVTwbFEtMXkXyi/O89xHvV9l8o2R2SIB/dCe LNmXoH40syJUgl3TeCH5BFVtUZWYW0DSFsD8m8RBB7xVVPhwggsKRsgN5ragjYf3 Mfx8Cc2+8HCev+7jA/AAyR2NCpGmMEDuznYeCx+X/7lGTs45C0f8sqk3yQywYpfD BPkGGVi+9qBveDegLh7MXNzx9mKdFuaKFgAOIYdEjAmTbZmz0aRNyJBJJv4PfV69 /ZvgnmGYNp/iuL2Lo01IKcSwtM6TXh90+AnPLGEhQCcotU/83nJWUCcXieN0pxui 9ybm1wkrPq79RXtx97ZOwHEDqbBC87AAtsRNPh8w2/4Yioq1fpGKWhWpBZ3N6EJZ m0GjbewK4O/VD+fPNHhfQMiLyfUiYnKhDPgAtuUJo15uvReyssgO7tzcOG9kILDe vd/aoyUVT6apLf/eNkQRHUvVVGOS/e0IDSy3gz7V91xnqpNtF+zwpVIuVqeJfN7C RdbIGsOMjncBf5C8TjHIPBb8yEYbCWO6ChhKf9yejbupf3sPjLGyD938rFWAni46 fMDgUGxDI22TF19xw7K3XMNZQiMZ9okb5SsKvkoDT5k4J0kkPv1LOW+Y7shmvihy FG6bURPthmkfA5lx5ObH =iOmW -----END PGP SIGNATURE----- --WKsnPtME8PjevS7v1cSVPoaNErM8fesnu--