Re: Updating GPG howto (http://keyring.debian.org/creating-key.html)
On Wed, Apr 06, 2011 at 12:15:49PM +0200, Vincent Caron wrote:
> On Wed, 2011-04-06 at 01:09 +0000, brian m. carlson wrote:
> > On Tue, Apr 05, 2011 at 05:15:15PM +0200, Vincent Caron wrote:
> > > 2/ It is suggested to update gnupg.conf with:
> > >
> > > personal-digest-preferences SHA256
> > > cert-digest-algo SHA256
> > > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> > >
> > > Is it still needed with GnuPG 1.4.11 ?
> >
> > This isn't strictly needed with any version of GnuPG. However, these
> > settings choose algorithms which are known to be stronger (avoiding MD5
> > and the mandatory but somewhat weakened SHA1). Setting
> > default-preference-list specifies which algorithms you prefer in your
> > key's self-signature (which you can always change later).
> > Implementations are forbidden from using algorithms (other than the
> > default must-implement ones) that you do not specify in your
> > self-signature. Using cert-digest-algo chooses the algorithm you will
> > use in signing keys. And finally, personal-digest-preferences is the
> > algorithm you will use when signing data.
>
> That's a nice explanation that would fit on
> http://keyring.debian.org/creating-key.html
It's not entirely accurate. The point of those lines are to ensure that
older (certainly lenny and earlier, I'm not sure when the default
changed) versions of GnuPG don't use SHA1 when signing keys (either your
own or others).
J.
--
It's ten o'clock; do you know where your processes are?
This .sig brought to you by the letter L and the number 13
Product of the Republic of HuggieTag
Reply to: