Revocation certificate creation (was: options files)
On Tue, 26 Feb 2013 01:25, cr...@2ndquadrant.com said: I really wish a 1y or 2y expiry was the default and that gpg prompted you to generate a revcert as part of key generation. I spend a lot of I wish I had done that right from the beginning. The reason why I did not was the fear that then the revocation certificate would be readily available on the disk and 3 things may happen: - The user accidentally imports that certificate and it would eventually end up on the keyservers. - Someone else gets access to the revocation certificate and sends it to the keyserver. - The disk crashed and the user has no backup. Reviewing this today I may say that the first could be mitigated by indenting the lines of the revocation certificate so that GPG would no be able to import it directly. The second is not a real issue. The third is probably the most likely threat; however, it would not be worse than not having a revocation certificate at all. Given that the default for smartcards is to store the backup on disk and ask the user to move it to a safer place, we might as well do something similar for revocation certificates. Comments? Regarding a default expiration date: It may be useful if GUIs would do this (as long as they also offer an option to prolong the expiration). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: options files
On Feb 24, 2013, at 6:58 PM, Daniel Kahn Gillmor d...@fifthhorseman.net wrote: On 02/21/2013 07:50 AM, John A. Wallace wrote: Can I get a link discussing one or more of a typical situations when options files are used? Thanks Some of us are collecting best practice suggestions over here: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults hth, --dkg Fantastic tips, thank you. As to the always set an expiration date, I certainly wish I had the first time I created a GPG key for my personal account, since that was several inattentive years ago, and I no longer know the passphrase. (That's pretty much hopeless, right?) Michael signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: options files
On Mon, Feb 25, 2013 at 10:48 AM, Michael Hannemann mhannem...@meperia.com wrote: On Feb 24, 2013, at 6:58 PM, Daniel Kahn Gillmor d...@fifthhorseman.net wrote: On 02/21/2013 07:50 AM, John A. Wallace wrote: Can I get a link discussing one or more of a typical situations when options files are used? Thanks Some of us are collecting best practice suggestions over here: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults hth, --dkg Fantastic tips, thank you. As to the always set an expiration date, I certainly wish I had the first time I created a GPG key for my personal account, since that was several inattentive years ago, and I no longer know the passphrase. (That's pretty much hopeless, right?) Michael Well, a revocation certificate should be sufficient to kill the key even if you forget the passphrase. User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: options files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2013 11:48 PM, Michael Hannemann wrote: Fantastic tips, thank you. As to the always set an expiration date, I certainly wish I had the first time I created a GPG key for my personal account, since that was several inattentive years ago, and I no longer know the passphrase. (That's pretty much hopeless, right?) I really wish a 1y or 2y expiry was the default and that gpg prompted you to generate a revcert as part of key generation. I spend a lot of time cajoling staff into setting expiries, verifying that they have proper revcerts and revcert storage, etc. - -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRLAEFAAoJELBXNkqjr+S2/IEH/1lbhPxThQhk6DN2eFc/cnL8 WEJZnANric4/HVRsl04MByB9w3m2iMoHPKpC1fUfabP1UkplpxYUto5MdQr14Brm ZlHgvCvG6wRco6IxuQJn0XsXgTmXQ6JUw6BYfdgmUNUK1F7n1vD72j+CLLZK0fEH d9hd/cDEGEiZic2F4ExQ/JXKsZYSLk9oY6iBaft0E0DB35ZvxRENMWymCQwzCZt2 mo6ctM4mXmBdnfmh5sSMV63073vN4sjGY35msjNzD6ZBZbuCxDxDMMefvhC6e0wo 0cGIw9YgLskyo8Yd7DsX7tZ6eQOWyKEupOSHeYzuOGByTADQPAB5CsblVn3em54= =PfQN -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: options files
On 02/21/2013 07:50 AM, John A. Wallace wrote: Can I get a link discussing one or more of a typical situations when options files are used? Thanks Some of us are collecting best practice suggestions over here: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#update-your-gpg-defaults hth, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
options files
Hi, Can I get a link discussing one or more of a typical situations when options files are used? Thanks John A. Wallace The pen is mightier than the sword, but only if you get in the first stroke. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: options files
On Thu, 21 Feb 2013 16:50, jw72...@verizon.net said: Can I get a link discussing one or more of a typical situations when options files are used? Thanks I have no link bu at least gpg.conf should always be used to set at least your own signing key and an --encrypt-to key. A keyserver entry is also useful. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: options files
On Thu, Feb 21, 2013 at 1:39 PM, Werner Koch w...@gnupg.org wrote: On Thu, 21 Feb 2013 16:50, jw72...@verizon.net said: Can I get a link discussing one or more of a typical situations when options files are used? Thanks I have no link bu at least gpg.conf should always be used to set at least your own signing key and an --encrypt-to key. A keyserver entry is also useful. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users I use the 1.4 trunk (1.4.13) but here are the contents of my gp.conf file, if you find that helpful: comment Most recent key: Click show in box @ http://is.gd/4xJrs default-key 0x0D62B019F80E29F9 default-recipient-self encrypt-to 0x0D62B019F80E29F9 keyserver hkp://pool.sks-keyservers.net keyserver-options auto-key-retrieve include-disabled sig-keyserver-url http://keyserver.ubuntu.com/pks/lookup?op=gethash=onfingerprint=onsearch=0x0D62B019F80E29F9 photo-viewer c:\program files\gpgshell\gpgview.exe %i /title 0x%k rfc4880 enable-dsa2 default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 AES TWOFISH CAMELLIA256 CAMELLIA192 CAMELLIA128 BLOWFISH CAST5 3DES AES192 AES256 BZIP2 ZLIB ZIP personal-cipher-preferences AES TWOFISH CAMELLIA256 CAMELLIA192 CAMELLIA128 BLOWFISH CAST5 3DES AES192 AES256 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 personal-compress-preferences BZIP2 ZLIB ZIP ask-cert-level keyid-format 0xSHORT ask-cert-expire expert s2k-digest-algo SHA512 s2k-cipher-algo AES cert-digest-algo SHA512 verbose compress-level 9 bzip2-compress-level 9 User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users