Hi there! Sorry for the late reply, I had not the time to finish this during DebConf10 and I am still catching up with post-DebConf10 holidays :-) On Mon, 2010-07-19 at 23:37 -0400, Daniel Kahn Gillmor wrote: > RSA keys of 2048-bits or longer are recommended, with > self-certifications using SHA-256 or stronger. More detailed > recommendations can be found here: > > https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#openpgp-key-checks Thank you micah for that page. I think we should put all the information on the Debian wiki (since we heavily rely on OpenPGP), or at least have a "collective" page with various links: http://wiki.debian.org/Smartcards/OpenPGP http://www.einval.com/~steve/docs/gpg-autofs.html http://www.crypto-stick.org/ With this mail, however, I would like to comment on using the HKPS keyservers. The problem with this approach is that you cannot use a round-robin server (like keys.gnupg.net, the default if no specified in gpg.conf, or subkeys.pgp.net) and relying on a single keyserver can cause problems as well if the keyserver is not regularly synced. And IMHO the Indimedia example could have some love, here the problems I found ;-) 1) the link to the CAcert.org root certificate is broken, you need to prepend the domain with "www" to get the correct page, otherwise you are redirected to the CAcert.org homepage. 2) "keyserver hkps://keys.indymedia.org" does not work with the default GnuPG in stable: ===== luca@baloo:~$ gpg --recv-keys E397832F gpg: requesting key E397832F from hkps server keys.indymedia.org gpgkeys: protocol `hkps' not supported gpg: no handler for keyserver scheme `hkps' gpg: keyserver receive failed: keyserver error luca@baloo:~$ gpg --version gpg (GnuPG) 1.4.9 [...] luca@baloo:~$ ===== The same in squeeze, but with a different error: ===== luca@gismo:~$ gpg --refresh-keys luca@pca.it gpg: refreshing 3 keys from hkps://keys.indymedia.org gpg: requesting key 9DDB992B from hkps server keys.indymedia.org gpg: requesting key 6D742669 from hkps server keys.indymedia.org gpg: requesting key E397832F from hkps server keys.indymedia.org gpgkeys: HTTP fetch error 1: unsupported protocol gpgkeys: HTTP fetch error 1: unsupported protocol gpgkeys: HTTP fetch error 1: unsupported protocol gpg: no valid OpenPGP data found. gpg: Total number processed: 0 luca@gismo:~$ gpg --version gpg (GnuPG) 1.4.10 [...] luca@gismo:~$ ===== It does, however, with GnuPG-2 in squeeze: ===== luca@gismo:~$ gpg2 --refresh-keys luca@pca.it gpg: refreshing 3 keys from hkps://keys.indymedia.org gpg: requesting key 9DDB992B from hkps server keys.indymedia.org gpg: requesting key 6D742669 from hkps server keys.indymedia.org gpg: requesting key E397832F from hkps server keys.indymedia.org gpg: key 9DDB992B: "Luca Capello <luca@pca.it>" not changed gpg: key 6D742669: "Luca Capello <luca@pca.it>" not changed gpg: key E397832F: "Luca Capello <luca@pca.it>" not changed gpg: Total number processed: 3 gpg: unchanged: 3 luca@gismo:~$ gpg2 --version gpg (GnuPG) 2.0.14 libgcrypt 1.4.5 [...] luca@gismo:~$ ===== 3) at least for Debian, I would rather suggests to use "keyserver-options ca-cert-file=/etc/ssl/certs/cacert.org.pem", since that certificate should stay updated: it is part of the ca-certificates package (installed by default in a standard Debian graphical environment) and it is also activated by default. Thx, bye, Gismo / Luca
Attachment:
signature.asc
Description: This is a digitally signed message part