[cryptography] technical question about gpg on debian/sid
wk at gnupg.org
Tue Oct 15 14:06:55 EDT 2013
On Tue, 15 Oct 2013 18:10, fungi at yuggoth.org said:
> Also, to bring this further onto topic, any critiques of the above
> linked articles are of interest to me. I'm currently in the process
> of drafting some similar recommendations for another large free
There is a simple rule for best practices: Use the defaults - they are
there for a reason. We try to provide best interoperability by updating
the defaults as need arise and if most installed versions support these
Noteworthy changes in version 1.4.10 (2009-09-02)
Noteworthy changes in version 2.0.13 (2009-09-04)
* 2048 bit RSA keys are now generated by default. The default
hash algorithm preferences has changed to prefer SHA-256 over
SHA-1. 2048 bit DSA keys are now generated to use a 256 bit
hash algorithm (SHA-224 was used before).
Regarding SHA256, the default preferences (as used for sign+encrypt) for
a new key are for quite some time:
/* The default hash algo order is:
SHA-256, SHA-1, SHA-384, SHA-512, SHA-224.
Ordering SHA-1 before SHA-384 might be viewed as a bit
strange; it is done because we expect that soon enough
SHA-3 will be available and at that point there should
be no more need for SHA-384 etc. Anyway this order is
just a default and can easily be changed by a config
If you want to write up something, I suggested to mention the creation
of a revocation certificate. Unfortunately gpg does not yet do this
automatically. And most important, stress the importance to somehow
keeping the box secure so not to fall prey to the standard attacks.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the cryptography