Re: [EXT] Best practices for obtaining a new GPG certificate
Am Freitag 19 März 2021 08:24:53 schrieb Werner Koch via Gnupg-users: > On Fri, 19 Mar 2021 01:50, Ángel said: > > The FAQis outdated. GnuPG was indeed updated some years ago to use 3072 > > as the default size for rsa > > Actually 7 months: > Noteworthy changes in version 2.2.22 (2020-08-27) > - > * gpg: Change the default key algorithm to rsa3072. > But some Linux distributions changed it earlier. https://wiki.gnupg.org/LargeKeys is the wiki page to catch some of the arguments leading to the recommendations. It could use some more updates for the upcoming future default. -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On Fri, 19 Mar 2021 01:50, Ángel said: > The FAQis outdated. GnuPG was indeed updated some years ago to use 3072 > as the default size for rsa Actually 7 months: Noteworthy changes in version 2.2.22 (2020-08-27) - * gpg: Change the default key algorithm to rsa3072. But some Linux distributions changed it earlier. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
Reading the URLs given by the OP, I see that the GPG FAQ (1) talks about a default of '2048' but in the latest (2.2.17) release of GPG it looks like the default is now '3072': Yep. [puts on maintainer hat] The last time I suggested revisions to that text there was no community consensus on what should replace it. Each proposed replacement met significant criticism. My current plan is to wait until GnuPG 2.3 is released and then update the FAQ to reflect those changes, and hope that by that time there's community consensus to support the changes. The FAQ isn't being ignored. I'd like to do a total overhaul of it. However, the FAQ isn't meant to be my opinions and rants: it's meant to be *the community's* voice. So I'm kind of dependent on the mailing list for support. [takes off maintainer hat] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 2021-03-18 at 15:15 +0100, john doe via Gnupg-users wrote: > Reading the URLs given by the OP, I see that the GPG FAQ (1) talks > about a default of '2048' but in the latest (2.2.17) release of GPG > it looks like the default is now '3072': > What keysize do you want? (3072) > > > Am I missing something? > > 1) https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 The FAQis outdated. GnuPG was indeed updated some years ago to use 3072 as the default size for rsa https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=909fbca19678e6e36968607e8a2348381da39d8c ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 3/18/2021 2:39 PM, Andreas K. Huettel wrote: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys Reading the URLs given by the OP, I see that the GPG FAQ (1) talks about a default of '2048' but in the latest (2.2.17) release of GPG it looks like the default is now '3072': gpg --expert --full-gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) Am I missing something? 1) https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys > On the pages, I get 'There is currently no text in this page. You can > search for this page title in other pages, or ...'. > Am I missing something? Only that kmail insisted on breaking the link... let's hope it doesn't this time. (Not every mail client implements flowing text correctly, which is why having the client insert line breaks is the safer variant for readability. However...) -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) fax +49 941 943 3196 e-mail andreas.huet...@ur.de http://www.akhuettel.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
On 3/18/2021 10:21 AM, Andreas K. Huettel wrote: Hi David, when Gentoo switched to requiring gpg-signed git commits and pushes, we put some thought into requirements and best practices. Minus the Gentoo-specific parts, this is probably good reading: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/ Generating_GLEP_63_based_OpenPGP_keys > On the pages, I get 'There is currently no text in this page. You can search for this page title in other pages, or ...'. Am I missing something? -- John Doe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [EXT] Best practices for obtaining a new GPG certificate
Hi David, when Gentoo switched to requiring gpg-signed git commits and pushes, we put some thought into requirements and best practices. Minus the Gentoo-specific parts, this is probably good reading: https://www.gentoo.org/glep/glep-0063.html https://wiki.gentoo.org/wiki/Project:Infrastructure/ Generating_GLEP_63_based_OpenPGP_keys Best, Andreas Am Donnerstag, 18. März 2021, 05:06:24 CET schrieb David Mehler via Gnupg- users: > Hello, > > My existing GPG certificate is going to expire in less than a month. > I'd like to know current best practices for obtaining a new one? In > particular I'm looking for the best protocol and strength for a > security not a performance stance. The certificate will mainly be used > for verifying and signing sent messages, and tagging git commits on > personal servers. Devices used will be Windows 10 pcs and tablets and > Android (version 10 and 11) phones and tablets. > Suggestions welcome. > Thanks. > Dave. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- PD Dr. Andreas K. Huettel Institute for Experimental and Applied Physics University of Regensburg 93040 Regensburg Germany tel. +49 151 241 67748 (mobile) tel. +49 941 943 1618 (office) fax +49 941 943 3196 e-mail andreas.huet...@ur.de http://www.akhuettel.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users