1 |
W dniu pią, 06.07.2018 o godzinie 21∶26 -0400, użytkownik Richard Yao |
2 |
napisał: |
3 |
> > On Jul 5, 2018, at 4:53 PM, Michał Górny <mgorny@g.o> wrote: |
4 |
> > |
5 |
> > Hi, |
6 |
> > |
7 |
> > Here's third version of the patches. I've incorporated the feedback |
8 |
> > so far and reordered the patches (again) to restore their |
9 |
> > degree-of-compatibility order. The full text is included below. |
10 |
> > |
11 |
> > |
12 |
> > Michał Górny (12): |
13 |
> > glep-0063: Use 'OpenPGP' as appropriate |
14 |
> > glep-0063: RSAv4 -> OpenPGP v4 key format |
15 |
> > glep-0063: 'Gentoo subkey' → 'Signing subkey' |
16 |
> > glep-0063: Root key → primary key |
17 |
> > glep-0063: Split out the signing subkey into a separation point |
18 |
> > glep-0063: Explain minimal & recommended sections |
19 |
> > glep-0063: Change the recommended RSA key size to 2048 bits |
20 |
> > glep-0063: Allow ECC curve 25519 keys |
21 |
> > glep-0063: Stop recommending DSA subkeys |
22 |
> > glep-0063: Make 2-yearly expiration term mandatory |
23 |
> > glep-0063: Require renewal 2 weeks before expiration |
24 |
> > glep-0063: Disallow using DSA keys |
25 |
> > |
26 |
> > glep-0063.rst | 97 +++++++++++++++++++++++++++++++++------------------ |
27 |
> > 1 file changed, 64 insertions(+), 33 deletions(-) |
28 |
> > |
29 |
> > |
30 |
> > --- |
31 |
> > GLEP: 63 |
32 |
> > Title: Gentoo OpenPGP policies |
33 |
> > Author: Robin H. Johnson <robbat2@g.o>, |
34 |
> > Andreas K. Hüttel <dilfridge@g.o>, |
35 |
> > Marissa Fischer <blogtodiffer@×××××.com> |
36 |
> > Type: Standards Track |
37 |
> > Status: Final |
38 |
> > Version: 2 |
39 |
> > Created: 2013-02-18 |
40 |
> > Last-Modified: 2018-07-05 |
41 |
> > Post-History: 2013-11-10 |
42 |
> > Content-Type: text/x-rst |
43 |
> > --- |
44 |
> > |
45 |
> > Credits |
46 |
> > ======= |
47 |
> > |
48 |
> > Many developers and external sources helped in this GLEP. |
49 |
> > |
50 |
> > Abstract |
51 |
> > ======== |
52 |
> > |
53 |
> > This GLEP provides both a minimum requirement and a recommended set of |
54 |
> > OpenPGP key management policies for the Gentoo Linux distribution. |
55 |
> > |
56 |
> > Changes |
57 |
> > ======= |
58 |
> > |
59 |
> > v2 |
60 |
> > The distinct minimal and recommended expirations have been replaced |
61 |
> > by a single requirement. The rules have been simplified to use |
62 |
> > the same time of 2 years for both the primary key and subkeys. |
63 |
> > |
64 |
> > An additional rule requesting key renewal 2 weeks before expiration |
65 |
> > has been added. This is in order to give services and other developers time |
66 |
> > to refresh the key. |
67 |
> > |
68 |
> > The usage of DSA keys has been disallowed. |
69 |
> > |
70 |
> > v1.1 |
71 |
> > The recommended RSA key size has been changed from 4096 bits |
72 |
> > to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. |
73 |
> > The larger recommendation was unjustified and resulted in people |
74 |
> > unnecessarily replacing their RSA-2048 keys. |
75 |
> > |
76 |
> > Minimal specification has been amended to allow for ECC keys. |
77 |
> > |
78 |
> > The option of using DSA subkey has been removed from recommendations. |
79 |
> > The section now specifies a single recommendation of using RSA. |
80 |
> > |
81 |
> > Motivation |
82 |
> > ========== |
83 |
> > |
84 |
> > Given the increasing use and importance of cryptographic protocols in internet |
85 |
> > transactions of any kind, unified requirements for OpenPGP keys used in Gentoo |
86 |
> > Linux development are sorely needed. This document provides both a set of |
87 |
> > bare minimum requirements and a set of best practice recommendations for |
88 |
> > the use of GnuPG (or other OpenPGP providers) by Gentoo Linux developers. |
89 |
> > It is intended to provide a basis for future improvements such as, e.g., |
90 |
> > consistent ebuild or package signing and verifying by end users. |
91 |
> > |
92 |
> > Specifications for OpenPGP keys |
93 |
> > =============================== |
94 |
> > |
95 |
> > Bare minimum requirements |
96 |
> > ------------------------- |
97 |
> > This section specifies obligatory requirements for all OpenPGP keys used |
98 |
> > to commit to Gentoo. Keys that do not conform to those requirements can |
99 |
> > not be used to commit. |
100 |
> > |
101 |
> > 1. SHA2-series output digest (SHA1 digests internally permitted), |
102 |
> > 256bit or more:: |
103 |
> > |
104 |
> > personal-digest-preferences SHA256 |
105 |
> > |
106 |
> > 2. Signing subkey that is different from the primary key, and does not |
107 |
> > have any other capabilities enabled. |
108 |
> > |
109 |
> > 3. Primary key and the signing subkey are both of type EITHER: |
110 |
> > |
111 |
> > a. RSA, >=2048 bits (OpenPGP v4 key format or later only) |
112 |
> > |
113 |
> > b. ECC curve 25519 |
114 |
> > |
115 |
> > 4. Expiration date on key and all subkeys set to at most 2 years |
116 |
> > |
117 |
> > 5. Key expiration date renewed at least 2 weeks before the previous |
118 |
> > expiration date. |
119 |
> > |
120 |
> > 6. Upload your key to the SKS keyserver rotation before usage! |
121 |
> > |
122 |
> > Recommendations |
123 |
> > --------------- |
124 |
> > This section specifies the best practices for Gentoo developers. |
125 |
> > The developers should follow those practices unless there is a strong |
126 |
> > technical reason not to (e.g. hardware limitations, necessity of replacing |
127 |
> > their primary key). |
128 |
> > |
129 |
> > 1. Copy ``/usr/share/gnupg/gpg-conf.skel`` to ``~/.gnupg/gpg.conf``, append |
130 |
> > the following block:: |
131 |
> |
132 |
> That file no longer exists. |
133 |
> > |
134 |
> > keyserver pool.sks-keyservers.net |
135 |
> |
136 |
> This is less secure than the default according to K_F in #gentoo-infra. |
137 |
> > |
138 |
> > emit-version |
139 |
> |
140 |
> K_F indicated that this harms security too. |
141 |
> > |
142 |
> > default-recipient-self |
143 |
> > |
144 |
> > # -- All of the below portion from the RiseUp.net OpenPGP best practices, and |
145 |
> > # -- many of them are also in the Debian GPG documentation. |
146 |
> > |
147 |
> > # when outputting certificates, view user IDs distinctly from keys: |
148 |
> > fixed-list-mode |
149 |
> > |
150 |
> > # long keyids are more collision-resistant than short keyids (it's trivial to make a key |
151 |
> > # with any desired short keyid) |
152 |
> > # NOTE: this breaks kmail gnupg support! |
153 |
> > keyid-format 0xlong |
154 |
> |
155 |
> This makes the key ids shorter. ^_^;; |
156 |
> > |
157 |
> > # when multiple digests are supported by all recipients, choose the strongest one: |
158 |
> > personal-digest-preferences SHA512 SHA384 SHA256 SHA224 |
159 |
> > |
160 |
> > # preferences chosen for new keys should prioritize stronger algorithms: |
161 |
> > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed |
162 |
> > |
163 |
> > # If you use a graphical environment (and even if you don't) you should be using an agent: |
164 |
> > # (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) |
165 |
> > use-agent |
166 |
> > |
167 |
> > # You should always know at a glance which User IDs gpg thinks are legitimately bound to |
168 |
> > # the keys in your keyring: |
169 |
> > verify-options show-uid-validity |
170 |
> > list-options show-uid-validity |
171 |
> > |
172 |
> > # include an unambiguous indicator of which key made a signature: |
173 |
> > # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) |
174 |
> > # (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html) |
175 |
> > sig-notation issuer-fpr@×××××××××××××××××××××××××××××××.net=%g |
176 |
> > |
177 |
> > # when making an OpenPGP certification, use a stronger digest than the default SHA1: |
178 |
> > cert-digest-algo SHA256 |
179 |
> |
180 |
> Could we just drop the recommended gpg.conf? Many of these suggestions are outdated. |
181 |
> > |
182 |
|
183 |
I didn't like it either but didn't want to spent time updating it. |
184 |
Dropping completely works for me. Done in v4. |
185 |
|
186 |
-- |
187 |
Best regards, |
188 |
Michał Górny |