Requested-by: Richard Yao <r...@gentoo.org> --- glep-0063.rst | 54 +++++++-------------------------------------------- 1 file changed, 7 insertions(+), 47 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst index 0792a5c..b20af61 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -42,6 +42,9 @@ v2 The ``gpgfingerprint`` LDAP field has been altered to remove optional whitespace. + The recommended ``gpg.conf`` contents have been removed as they were + seriously outdated and decreased security over the modern defaults. + v1.1 The recommended RSA key size has been changed from 4096 bits to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. @@ -102,58 +105,15 @@ The developers should follow those practices unless there is a strong technical reason not to (e.g. hardware limitations, necessity of replacing their primary key). -1. Copy ``/usr/share/gnupg/gpg-conf.skel`` to ``~/.gnupg/gpg.conf``, append - the following block:: - - keyserver pool.sks-keyservers.net - - emit-version - - default-recipient-self - - # -- All of the below portion from the RiseUp.net OpenPGP best practices, and - # -- many of them are also in the Debian GPG documentation. - - # when outputting certificates, view user IDs distinctly from keys: - fixed-list-mode - - # long keyids are more collision-resistant than short keyids (it's trivial to make a key - # with any desired short keyid) - # NOTE: this breaks kmail gnupg support! - keyid-format 0xlong - - # when multiple digests are supported by all recipients, choose the strongest one: - personal-digest-preferences SHA512 SHA384 SHA256 SHA224 - - # preferences chosen for new keys should prioritize stronger algorithms: - default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed - - # If you use a graphical environment (and even if you don't) you should be using an agent: - # (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) - use-agent - - # You should always know at a glance which User IDs gpg thinks are legitimately bound to - # the keys in your keyring: - verify-options show-uid-validity - list-options show-uid-validity - - # include an unambiguous indicator of which key made a signature: - # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) - # (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html) - sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g - - # when making an OpenPGP certification, use a stronger digest than the default SHA1: - cert-digest-algo SHA256 - -2. Primary key and the signing subkey are both of type RSA, 2048 bits +1. Primary key and the signing subkey are both of type RSA, 2048 bits (OpenPGP v4 key format or later) -3. Key expiration renewed annually to a fixed day of the year +2. Key expiration renewed annually to a fixed day of the year -4. Create a revocation certificate & store it hardcopy offsite securely +3. Create a revocation certificate & store it hardcopy offsite securely (it's about ~300 bytes). -5. Encrypted backup of your secret keys. +4. Encrypted backup of your secret keys. Gentoo LDAP =========== -- 2.18.0
