Remove the gpg.conf bits from recommended and minimal specification. Apparently they are seriously obsolete and worse than the modern defaults. While at it, editorial corrections to 'SHA2' bit.
Requested-by: Richard Yao <[email protected]> --- glep-0063.rst | 60 ++++++++------------------------------------------- 1 file changed, 9 insertions(+), 51 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index 37b1f4d..84d87d2 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -42,6 +42,9 @@ v2 The ``gpgfingerprint`` LDAP field has been altered to remove optional whitespace. + The ``gpg.conf`` contents have been removed as they were seriously + outdated and decreased security over the modern defaults. + v1.1 The recommended RSA key size has been changed from 4096 bits to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. @@ -73,10 +76,8 @@ This section specifies obligatory requirements for all OpenPGP keys used to commit to Gentoo. Keys that do not conform to those requirements can not be used to commit. -1. SHA2-series output digest (SHA1 digests internally permitted), - 256bit or more:: - - personal-digest-preferences SHA256 +1. SHA-2 series output digest (SHA-1 digests internally permitted), + at least 256-bit. 2. Signing subkey that is different from the primary key, and does not have any other capabilities enabled @@ -102,58 +103,15 @@ The developers should follow those practices unless there is a strong technical reason not to (e.g. hardware limitations, necessity of replacing their primary key). -1. Copy ``/usr/share/gnupg/gpg-conf.skel`` to ``~/.gnupg/gpg.conf``, append - the following block:: - - keyserver pool.sks-keyservers.net - - emit-version - - default-recipient-self - - # -- All of the below portion from the RiseUp.net OpenPGP best practices, and - # -- many of them are also in the Debian GPG documentation. - - # when outputting certificates, view user IDs distinctly from keys: - fixed-list-mode - - # long keyids are more collision-resistant than short keyids (it's trivial to make a key - # with any desired short keyid) - # NOTE: this breaks kmail gnupg support! - keyid-format 0xlong - - # when multiple digests are supported by all recipients, choose the strongest one: - personal-digest-preferences SHA512 SHA384 SHA256 SHA224 - - # preferences chosen for new keys should prioritize stronger algorithms: - default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed - - # If you use a graphical environment (and even if you don't) you should be using an agent: - # (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) - use-agent - - # You should always know at a glance which User IDs gpg thinks are legitimately bound to - # the keys in your keyring: - verify-options show-uid-validity - list-options show-uid-validity - - # include an unambiguous indicator of which key made a signature: - # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) - # (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html) - sig-notation [email protected]=%g - - # when making an OpenPGP certification, use a stronger digest than the default SHA1: - cert-digest-algo SHA256 - -2. Primary key and the signing subkey are both of type RSA, 2048 bits +1. Primary key and the signing subkey are both of type RSA, 2048 bits (OpenPGP v4 key format or later) -3. Key expiration renewed annually to a fixed day of the year +2. Key expiration renewed annually to a fixed day of the year -4. Create a revocation certificate & store it hardcopy offsite securely +3. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes). -5. Encrypted backup of your secret keys. +4. Encrypted backup of your secret keys. Gentoo LDAP =========== -- 2.18.0
