FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 04-05-2011, 03:15 PM
Vincent Caron
 
Default Updating GPG howto (http://keyring.debian.org/creating-key.html)

Hello list,

I'm about to generate a new GPG keypair to supplement my old v3 1024R
as suggested by Gunnar Wolf as of 2010-09-14 [1] and I was following the
documentation on http://keyring.debian.org/creating-key.html .

I'm using GnuPG 1.4.11 from my Debian Wheezy, and a few things have
changed since that tutorial was written. I'm not very sure about the
security concerns about my decision, so I'm asking experts on the list
how the tutorial should be updated for recent GnuPG.

1/ There is no date or GnuPG version on the tutorial. The source
(Ana's blog) is more precise, it's 2009-05-10 and GnuPG < 1.4. There's a
leter update about GnuPG 1.4.0 and higer as of 2009-09. Wouldn't it be
more clear if the page explictly mentions the GnuPG versions pertaining
to that documentation ?


2/ It is suggested to update gnupg.conf with:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Is it still needed with GnuPG 1.4.11 ?


3/ The -gen-key menu has changed from the tutorial, it is now:

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

Again Ana's blog has been updated and it looks legal (and a good idea)
to select the (1) option which also generates an ecnryption key in one
go. Is that correct ?



[1] http://lists.debian.org/debian-devel-announce/2010/09/msg00003.html



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1302016515.2757.68.camel@zerohal.local">http://lists.debian.org/1302016515.2757.68.camel@zerohal.local
 
Old 04-06-2011, 01:09 AM
"brian m. carlson"
 
Default Updating GPG howto (http://keyring.debian.org/creating-key.html)

On Tue, Apr 05, 2011 at 05:15:15PM +0200, Vincent Caron wrote:
> 2/ It is suggested to update gnupg.conf with:
>
> personal-digest-preferences SHA256
> cert-digest-algo SHA256
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
>
> Is it still needed with GnuPG 1.4.11 ?

This isn't strictly needed with any version of GnuPG. However, these
settings choose algorithms which are known to be stronger (avoiding MD5
and the mandatory but somewhat weakened SHA1). Setting
default-preference-list specifies which algorithms you prefer in your
key's self-signature (which you can always change later).
Implementations are forbidden from using algorithms (other than the
default must-implement ones) that you do not specify in your
self-signature. Using cert-digest-algo chooses the algorithm you will
use in signing keys. And finally, personal-digest-preferences is the
algorithm you will use when signing data.

If you know what you're doing, you can choose the algorithms you prefer
here instead of these. If you don't, these are fine choices.

> 3/ The -gen-key menu has changed from the tutorial, it is now:
>
> Please select what kind of key you want:
> (1) RSA and RSA (default)
> (2) DSA and Elgamal
> (3) DSA (sign only)
> (4) RSA (sign only)
>
> Again Ana's blog has been updated and it looks legal (and a good idea)
> to select the (1) option which also generates an ecnryption key in one
> go. Is that correct ?

Yes. It creates an RSA main key (used for signing other keys and
possibly data) and an RSA encryption-only subkey. Some people use a
subkey for signing as well, but that can be generated later. I
recommend using the largest size possible, which IIRC is 4096 bits.

--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
 
Old 04-06-2011, 10:15 AM
Vincent Caron
 
Default Updating GPG howto (http://keyring.debian.org/creating-key.html)

On Wed, 2011-04-06 at 01:09 +0000, brian m. carlson wrote:
> On Tue, Apr 05, 2011 at 05:15:15PM +0200, Vincent Caron wrote:
> > 2/ It is suggested to update gnupg.conf with:
> >
> > personal-digest-preferences SHA256
> > cert-digest-algo SHA256
> > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> >
> > Is it still needed with GnuPG 1.4.11 ?
>
> This isn't strictly needed with any version of GnuPG. However, these
> settings choose algorithms which are known to be stronger (avoiding MD5
> and the mandatory but somewhat weakened SHA1). Setting
> default-preference-list specifies which algorithms you prefer in your
> key's self-signature (which you can always change later).
> Implementations are forbidden from using algorithms (other than the
> default must-implement ones) that you do not specify in your
> self-signature. Using cert-digest-algo chooses the algorithm you will
> use in signing keys. And finally, personal-digest-preferences is the
> algorithm you will use when signing data.

That's a nice explanation that would fit on
http://keyring.debian.org/creating-key.html

Thanks for your help.



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1302084949.4011.11.camel@zerohal.local">http://lists.debian.org/1302084949.4011.11.camel@zerohal.local
 
Old 04-07-2011, 02:02 PM
"brian m. carlson"
 
Default Updating GPG howto (http://keyring.debian.org/creating-key.html)

On Wed, Apr 06, 2011 at 12:15:49PM +0200, Vincent Caron wrote:
> That's a nice explanation that would fit on
> http://keyring.debian.org/creating-key.html

If someone would like to put it up there, he or she should feel free to
do so.

> Thanks for your help.

Sure.

--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
 
Old 04-07-2011, 05:26 PM
Jonathan McDowell
 
Default Updating GPG howto (http://keyring.debian.org/creating-key.html)

On Wed, Apr 06, 2011 at 12:15:49PM +0200, Vincent Caron wrote:
> On Wed, 2011-04-06 at 01:09 +0000, brian m. carlson wrote:
> > On Tue, Apr 05, 2011 at 05:15:15PM +0200, Vincent Caron wrote:
> > > 2/ It is suggested to update gnupg.conf with:
> > >
> > > personal-digest-preferences SHA256
> > > cert-digest-algo SHA256
> > > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> > >
> > > Is it still needed with GnuPG 1.4.11 ?
> >
> > This isn't strictly needed with any version of GnuPG. However, these
> > settings choose algorithms which are known to be stronger (avoiding MD5
> > and the mandatory but somewhat weakened SHA1). Setting
> > default-preference-list specifies which algorithms you prefer in your
> > key's self-signature (which you can always change later).
> > Implementations are forbidden from using algorithms (other than the
> > default must-implement ones) that you do not specify in your
> > self-signature. Using cert-digest-algo chooses the algorithm you will
> > use in signing keys. And finally, personal-digest-preferences is the
> > algorithm you will use when signing data.
>
> That's a nice explanation that would fit on
> http://keyring.debian.org/creating-key.html

It's not entirely accurate. The point of those lines are to ensure that
older (certainly lenny and earlier, I'm not sure when the default
changed) versions of GnuPG don't use SHA1 when signing keys (either your
own or others).

J.

--
It's ten o'clock; do you know where your processes are?
This .sig brought to you by the letter L and the number 13
Product of the Republic of HuggieTag


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110407172610.GO4835@earth.li">http://lists.debian.org/20110407172610.GO4835@earth.li
 
Old 04-07-2011, 09:54 PM
"brian m. carlson"
 
Default Updating GPG howto (http://keyring.debian.org/creating-key.html)

On Thu, Apr 07, 2011 at 10:26:10AM -0700, Jonathan McDowell wrote:
> It's not entirely accurate. The point of those lines are to ensure that
> older (certainly lenny and earlier, I'm not sure when the default
> changed) versions of GnuPG don't use SHA1 when signing keys (either your
> own or others).

From looking at the source code, it seems that the default digest
algorithm for signing both data and keys is still SHA-1. There is some
special code to handle DSA keys with the size of q > 160 bits, since
SHA-1 wouldn't work in those cases. This makes sense since it is the
must-implement hash algorithm. So setting these preferences is still
recommended for current use. While these preferences do affect key
signatures, they also affect other uses as well—uses where SHA-1 is
still a bad choice.

--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
 

Thread Tools




All times are GMT. The time now is 10:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org