El Fri, 01 Aug 2014 14:50:03 +0200 intrigeri <[email protected]> escribió: > Hi, > > intrigeri wrote (14 Jul 2014 10:38:47 GMT) : > > Also, I would find it good to be even closer to duraconf's gpg.conf: > > e.g. > > > * we could plausibly take the "algorithm and ciphers" section as-is > > * the no-honor-keyserver-url keyserver-options could be split out > > > Ideally, a diff of our gpg.conf and duraconf's would only show a few > > added/changed lines, for easier auditing and maintenance. What do > > you think? > > Ping? (If you don't intend to work on this branch any further, no > problem, just tell us :)
ok reading riseup's document on best practices i was covinced about the no-honor-keyserver-url option to be set. https://help.riseup.net/en/security/message-security/openpgp/best-practices#ensure-that-all-keys-are-refreshed-through-the-keyserver-you-have-selected ¨This is useful because (1) it prevents someone from designating an insecure method for pulling their key and (2) if the server designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will never be refreshed. Note also that an attacker could designate a keyserver that they control to monitor when or from where you refresh their key.¨ and i dont really know enough about cyphers to have an opinion on the cyphers. but yea, now that you mention it, i realise that regarding releases and changes it is better to stick more to duraconf, or in any case try to convince the riseup people I will dive on git and come back with a cleaner patch based in devel cheers > > Cheers, _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
