On Mon, 19 Jul 2010 22:04:19 -0700, Lars Wirzenius <liw@liw.fi> wrote: > On ma, 2010-07-19 at 23:37 -0400, Daniel Kahn Gillmor wrote: > > RSA keys of 2048-bits or longer are recommended, with > > self-certifications using SHA-256 or stronger. More detailed > > recommendations can be found here: > > > > https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#openpgp-key-checks > > From the web page: > > self-signatures must not use MD5 > > You can check this by doing: > > gpg --export-options export-minimal --export <keyid> | gpg > --list-packets |grep -A 2 signature|grep 'digest algo 1,' > > This is not very explicit about what the output should be, or what lack > of output does. I'd extrapolate from the rest of the page and from what > I know about Unix command line use, but I've found gpg to be rather hard > to use right, and even harder to be confident about. Can't argue there. You are right that this isn't obvious unless you are a Unix head. I'll add a little more info about this. > Is there an actual "gpg lint" kind of tool anywhere? I _think_ I made a > sufficiently good key last year, but I am not certain about it, and it > is possible the above MD5 test is failing. dkg proposed such a tool to do such a thing[0] but got only a luke-warm reply, and it has not been implemented. > Failing that, are there instructions for creating a new key? Sure, I think Ana's[1] page about this is a good set of instructions. micah 0. http://www.imc.org/ietf-openpgp/mail-archive/msg34211.html 1. http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
Attachment:
pgpK8odG4kFtv.pgp
Description: PGP signature