Drew Scott Daniels wrote: > Hi, > Is there any good documentation about best practices for OpenPGP key > management? I plan to use gnupg (gpg), as it's conventional and seems like > the "best of breed" these days. > > Most documentation I've found seems significantly out of date (including > long discussions of incompatibilities with versions from 2001...). I did > find it interesting that the IDEA patents are expiring in May this year > for the EU and US if I remember > You are not alone. > The best documentation I have found includes: > http://arfore.com/2007/07/29/gpg-best-practices/ > http://www.cam.ac.uk.pgp.net/pgpnet/pgp-faq/ > > Over the years I've heard some ideas like: > [...] > * Set an expiry date on your primary key and/or sub-key and sign a new > key before the old key expires. I think this is problematic for some > key reading programs though I can't remember any instances. Expiry > dates aren't default and seemed to be uncommon last time I checked. > This is a good idea, which is not widely applicated since people are principally lazy. > [...] > * Don't store your key on machines that connect to any networks. > That becomes paranoïa, at least to me. Everything depends on your configuration. > Transferring signed data is time consuming, inconvenient... But maybe better than revealing secrets. > [...] > * Use a random string for your passphrase. I was "bit" by this on my > first attempt to use a keypair years ago (around 2003). I forgot the > passphrase. > The problem is actually more general than this. Often, people think that using long and pseudo-randomly-generated passwords is a good thing. Actually, that is one of the worst thing one can do, except if he has a computer's memory in his head: the more complicated a password (here a passphrase), the more difficult it is to memorize. As a difficult-to-memorize password is often written somewhere, it becomes completely stupid to use such a (nowadays-)hacker-proof. > [...] > * "Harden" machines that contain your private key. While it's usually a > good idea to do this for all machines, I would hope that most things > would be secure without having to spend the extra time doing > configurations... > I always liked, e.g. SELinux, but this is not a common voice. > [...] > A nice guide to > implement the appropriate SELinux security context for a private key > would be nice, maybe I'm missing something from gnupg, fedora and/or > elsewhere. Totally. If you find one, please e-mail me. I would be really happy. -- Merciadri Luca See http://www.student.montefiore.ulg.ac.be/~merciadri/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. The weak can never forgive. Forgiveness is the attribute of the strong.
Description: OpenPGP digital signature