[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Best practices for OpenPGP keys?

Drew Scott Daniels wrote:
> Hi,
> Is there any good documentation about best practices for OpenPGP key
> management? I plan to use gnupg (gpg), as it's conventional and seems like
> the "best of breed" these days.
> Most documentation I've found seems significantly out of date (including
> long discussions of incompatibilities with versions from 2001...). I did
> find it interesting that the IDEA patents are expiring in May this year
> for the EU and US if I remember
You are not alone.
> The best documentation I have found includes:
> http://arfore.com/2007/07/29/gpg-best-practices/
> http://www.cam.ac.uk.pgp.net/pgpnet/pgp-faq/
> Over the years I've heard some ideas like:
> [...]
>    * Set an expiry date on your primary key and/or sub-key and sign a new
> key before the old key expires. I think this is problematic for some
> key reading programs though I can't remember any instances. Expiry
> dates aren't default and seemed to be uncommon last time I checked.
This is a good idea, which is not widely applicated since people are
principally lazy.
> [...]
>    * Don't store your key on machines that connect to any networks.
That becomes paranoïa, at least to me. Everything depends on your
> Transferring signed data is time consuming, inconvenient... 
But maybe better than revealing secrets.
> [...]
>    * Use a random string for your passphrase. I was "bit" by this on my
> first attempt to use a keypair years ago (around 2003). I forgot the
> passphrase.
The problem is actually more general than this. Often, people think that
using long and pseudo-randomly-generated passwords is a good thing.
Actually, that is one of the worst thing one can do, except if he has a
computer's memory in his head: the more complicated a password (here a
passphrase), the more difficult it is to memorize. As a
difficult-to-memorize password is often written somewhere, it becomes
completely stupid to use such a (nowadays-)hacker-proof.
> [...]
> * "Harden" machines that contain your private key. While it's usually a
> good idea to do this for all machines, I would hope that most things
> would be secure without having to spend the extra time doing
> configurations...
I always liked, e.g. SELinux, but this is not a common voice.
> [...]

> A nice guide to
> implement the appropriate SELinux security context for a private key
> would be nice, maybe I'm missing something from gnupg, fedora and/or
> elsewhere.
Totally. If you find one, please e-mail me. I would be really happy.

Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
I use PGP. If there is an incompatibility problem with your mail
client, please contact me.

The weak can never forgive. Forgiveness is the attribute of the strong.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: