1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA512 |
3 |
|
4 |
On 01/12/2015 02:34 AM, Brian Dolbec wrote: |
5 |
> On Sun, 11 Jan 2015 12:06:18 -0500 Rich Freeman <rich0@g.o> |
6 |
> wrote: |
7 |
> |
8 |
>> On Sun, Jan 11, 2015 at 11:43 AM, Brian Dolbec |
9 |
>> <dolsen@g.o> wrote: |
10 |
>>> Of the remaining devs, only 16 keys total pass the GLEP 63 |
11 |
>>> requirements. More info can be found in the First-Use wiki |
12 |
>>> page [4] |
13 |
>> |
14 |
>> If you just create a gpg key with 5yr expiry and |
15 |
>> otherwise-default options, typing a larger number into the |
16 |
>> keysize prompt, do you get a compliant key? The guides talk |
17 |
>> about editing your gpg.conf, and it looks like the tool does it |
18 |
>> for you, but is any of that necessary to generate a compliant |
19 |
>> key? I'd prefer raw gpg commands and not a script that automates |
20 |
>> everything. |
21 |
>> |
22 |
>> Would this work: gpg --gen-key option 2 - DSA and Elgamal size |
23 |
>> 3072 (the max) expires 5y Enter your name, email, and |
24 |
>> passphrase. |
25 |
>> |
26 |
>> I've been putting off generating a new key until this all |
27 |
>> settles down, and would prefer to mess with it as infrequently as |
28 |
>> possible. Most likely I'll just switch to Gentoo-dedicated key |
29 |
>> for the tree. |
30 |
>> |
31 |
> |
32 |
> Wait for Kristian to reply about the algorythm choice. |
33 |
|
34 |
GnuPG defaults to 2048 bit RSA primary key with 2048 bit RSA |
35 |
encryption subkey. DSA and ElGamal have not been the default for a |
36 |
while for a few reasons. For those interested in a bit more technical |
37 |
details read further. |
38 |
|
39 |
One issue with DSA/ElGamal is the requirement for a random k value |
40 |
while signing/encrypting, i.e. there is a requirement for a random |
41 |
source for all signatures and encryption, not only while generating |
42 |
the key, and the lack of proper randomness can cause private key |
43 |
leakage (in the case of signatures). This can be mitigated by the use |
44 |
of RFC6979 " |
45 |
Deterministic Usage of the Digital Signature Algorithm (DSA) and |
46 |
Elliptic Curve Digital Signature Algorithm (ECDSA)" , however this is |
47 |
only introduced in libgcrypt 1.6. |
48 |
|
49 |
Another issue is that DSA key sizes > 1024 bits are part of what is |
50 |
commonly referred to as DSA2-standard, so this is less interoperable |
51 |
with older versions. |
52 |
|
53 |
Newer versions of GnuPG (in the 2.1 branch) won't give algorithm |
54 |
choice at all unless --full-gen-key is used but generate using the |
55 |
defaults. |
56 |
|
57 |
- -- |
58 |
Kristian Fiskerstrand |
59 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
60 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
61 |
-----BEGIN PGP SIGNATURE----- |
62 |
|
63 |
iQIcBAEBCgAGBQJUtA0/AAoJEPw7F94F4TagGMIP/31V+VrAvB3PtEYeS+jhNc+D |
64 |
1a020/Zo8rnrHKElK4+WDg+M+Dvw6UoQEpTvAu/ViZkGoCkDCE2iSo1Pv35NkwhB |
65 |
7wVzJJU4yoK/qdxwi9hjZSXTjuLjGRvxOvHLRJ0bChMDbgPs4O3pODlvTf4Uyqxx |
66 |
dUkfLblntJeFYEEMnx3ryFxpLpbKSc27cQLg+DlXvASMTMulbhb2wRi5HfCJ1zfj |
67 |
14FzSQFPuolkgLbuRJGvntq8uDAD03nTTnuAX9QiTOaT8GxRxw6RLIWa35E1tctq |
68 |
jBPPfGn+SyrPEHx5Gqgzo7Q8PfFTk6X60Fkzau+1qPd6sE0G8EA54CG/sFydoZEr |
69 |
N8XKPYOM+lw51kVHNR6GSjgFitc53Adqx0yHzzm1l+hYVmk3ZKitjmyCf+pyTS+a |
70 |
wkFxcNd/N1pfhfBs3LVSqvKPjw1NUaengt5eeC2YGkhYXs1qT0e1aO9uUzBAhsCc |
71 |
aH+6oTIG8fm0RClFUuuNVOv4STDPOpNtiOvOboO9ICHE6nwYaGUblKxCSvQ8gz/Q |
72 |
wEpqZ0rXDz9dJKBGBXMNIb0jxLejWvoiUb6V6oWYS5xHMWdiM+JpVInmNs7OZ9ks |
73 |
Yn65z5Ffi54X2fc6qAFUaTpMZ7NVIq5f6D96Mx7SZD3VCOzIhgWh8fbEnWqqCkVE |
74 |
Qf0hbsyzeHZXyxQWQNwb |
75 |
=Odoa |
76 |
-----END PGP SIGNATURE----- |