| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA512 |
| 3 |
|
| 4 |
On 01/12/2015 02:34 AM, Brian Dolbec wrote: |
| 5 |
> On Sun, 11 Jan 2015 12:06:18 -0500 Rich Freeman <rich0@g.o> |
| 6 |
> wrote: |
| 7 |
> |
| 8 |
>> On Sun, Jan 11, 2015 at 11:43 AM, Brian Dolbec |
| 9 |
>> <dolsen@g.o> wrote: |
| 10 |
>>> Of the remaining devs, only 16 keys total pass the GLEP 63 |
| 11 |
>>> requirements. More info can be found in the First-Use wiki |
| 12 |
>>> page [4] |
| 13 |
>> |
| 14 |
>> If you just create a gpg key with 5yr expiry and |
| 15 |
>> otherwise-default options, typing a larger number into the |
| 16 |
>> keysize prompt, do you get a compliant key? The guides talk |
| 17 |
>> about editing your gpg.conf, and it looks like the tool does it |
| 18 |
>> for you, but is any of that necessary to generate a compliant |
| 19 |
>> key? I'd prefer raw gpg commands and not a script that automates |
| 20 |
>> everything. |
| 21 |
>> |
| 22 |
>> Would this work: gpg --gen-key option 2 - DSA and Elgamal size |
| 23 |
>> 3072 (the max) expires 5y Enter your name, email, and |
| 24 |
>> passphrase. |
| 25 |
>> |
| 26 |
>> I've been putting off generating a new key until this all |
| 27 |
>> settles down, and would prefer to mess with it as infrequently as |
| 28 |
>> possible. Most likely I'll just switch to Gentoo-dedicated key |
| 29 |
>> for the tree. |
| 30 |
>> |
| 31 |
> |
| 32 |
> Wait for Kristian to reply about the algorythm choice. |
| 33 |
|
| 34 |
GnuPG defaults to 2048 bit RSA primary key with 2048 bit RSA |
| 35 |
encryption subkey. DSA and ElGamal have not been the default for a |
| 36 |
while for a few reasons. For those interested in a bit more technical |
| 37 |
details read further. |
| 38 |
|
| 39 |
One issue with DSA/ElGamal is the requirement for a random k value |
| 40 |
while signing/encrypting, i.e. there is a requirement for a random |
| 41 |
source for all signatures and encryption, not only while generating |
| 42 |
the key, and the lack of proper randomness can cause private key |
| 43 |
leakage (in the case of signatures). This can be mitigated by the use |
| 44 |
of RFC6979 " |
| 45 |
Deterministic Usage of the Digital Signature Algorithm (DSA) and |
| 46 |
Elliptic Curve Digital Signature Algorithm (ECDSA)" , however this is |
| 47 |
only introduced in libgcrypt 1.6. |
| 48 |
|
| 49 |
Another issue is that DSA key sizes > 1024 bits are part of what is |
| 50 |
commonly referred to as DSA2-standard, so this is less interoperable |
| 51 |
with older versions. |
| 52 |
|
| 53 |
Newer versions of GnuPG (in the 2.1 branch) won't give algorithm |
| 54 |
choice at all unless --full-gen-key is used but generate using the |
| 55 |
defaults. |
| 56 |
|
| 57 |
- -- |
| 58 |
Kristian Fiskerstrand |
| 59 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
| 60 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
| 61 |
-----BEGIN PGP SIGNATURE----- |
| 62 |
|
| 63 |
iQIcBAEBCgAGBQJUtA0/AAoJEPw7F94F4TagGMIP/31V+VrAvB3PtEYeS+jhNc+D |
| 64 |
1a020/Zo8rnrHKElK4+WDg+M+Dvw6UoQEpTvAu/ViZkGoCkDCE2iSo1Pv35NkwhB |
| 65 |
7wVzJJU4yoK/qdxwi9hjZSXTjuLjGRvxOvHLRJ0bChMDbgPs4O3pODlvTf4Uyqxx |
| 66 |
dUkfLblntJeFYEEMnx3ryFxpLpbKSc27cQLg+DlXvASMTMulbhb2wRi5HfCJ1zfj |
| 67 |
14FzSQFPuolkgLbuRJGvntq8uDAD03nTTnuAX9QiTOaT8GxRxw6RLIWa35E1tctq |
| 68 |
jBPPfGn+SyrPEHx5Gqgzo7Q8PfFTk6X60Fkzau+1qPd6sE0G8EA54CG/sFydoZEr |
| 69 |
N8XKPYOM+lw51kVHNR6GSjgFitc53Adqx0yHzzm1l+hYVmk3ZKitjmyCf+pyTS+a |
| 70 |
wkFxcNd/N1pfhfBs3LVSqvKPjw1NUaengt5eeC2YGkhYXs1qT0e1aO9uUzBAhsCc |
| 71 |
aH+6oTIG8fm0RClFUuuNVOv4STDPOpNtiOvOboO9ICHE6nwYaGUblKxCSvQ8gz/Q |
| 72 |
wEpqZ0rXDz9dJKBGBXMNIb0jxLejWvoiUb6V6oWYS5xHMWdiM+JpVInmNs7OZ9ks |
| 73 |
Yn65z5Ffi54X2fc6qAFUaTpMZ7NVIq5f6D96Mx7SZD3VCOzIhgWh8fbEnWqqCkVE |
| 74 |
Qf0hbsyzeHZXyxQWQNwb |
| 75 |
=Odoa |
| 76 |
-----END PGP SIGNATURE----- |
Archives