Re: Changing default digest algo
On 11/04/2013 12:45 AM, Chuck Peters wrote: I added the following to gpg.conf: personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed I changed the preferences: gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed And verified: gpg> showpref [ultimate] (1). Charles F. Peters II (Chuck) Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify these steps look right to me, though i don't see the updated preferences on the public keyserver network yet. When I check the keys, it still shows SHA1: $ gpg --export-options export-minimal --export 23E9EB24 | gpg --list-packets |grep -A 2 signature|grep 'digest algo 2,' digest algo 2, begin of digest a3 6e digest algo 2, begin of digest 3b 34 digest algo 2, begin of digest f2 3e digest algo 2, begin of digest ae 58 digest algo 2, begin of digest 67 fa digest algo 2, begin of digest e6 39 your key has four signing-capable subkeys and two encryption-capable subkeys. It also has two user IDs. This means that there should be eight self-signatures (4 + 2 + 2 = 8). Above, you're only showing 6 self-sigs with SHA-1. I suspect that your User IDs (where the preference subpackets are stored) are actually being certified with a stronger digest, but your subkey binding signatures have not been adjusted. I just tested with an example profile using configuration options similar to the ones you've described above, and found that newly-created subkeys (after the config change) are bound with a subkey binding signature over the preferred cert-digest-algo. so one approach (if there are no other suggestions for re-creating new subkey binding signatures on the existing subkeys) is that you could generate new subkeys and revoke the old ones. hth, --dkg PS as an aside, having two 4096-bit encryption-capable subkeys is probably not useful. Your peers who encrypt traffic to you will need to choose one to encrypt to, and they will just choose the most recent one. I recommend revoking all but the most recent. If you have a good reason for keeping all 4 signing-capable subkeys (e.g. you are distributing signing-capable subkeys to separate devices which you want to be able to revoke if those devices become compromised), that's fine. If that's not the case, you probably want to revoke most of those signing-capable subkeys too. PPS you may be interested in: http://lists.gnupg.org/pipermail/gnupg-devel/2009-May/024986.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Changing default digest algo
I generated some new keys in Sept and would like to convert the digest from SHA1 to SHA512. I added the following to gpg.conf: personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed I changed the preferences: gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed And verified: gpg> showpref [ultimate] (1). Charles F. Peters II (Chuck) Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify When I check the keys, it still shows SHA1: $ gpg --export-options export-minimal --export 23E9EB24 | gpg --list-packets |grep -A 2 signature|grep 'digest algo 2,' digest algo 2, begin of digest a3 6e digest algo 2, begin of digest 3b 34 digest algo 2, begin of digest f2 3e digest algo 2, begin of digest ae 58 digest algo 2, begin of digest 67 fa digest algo 2, begin of digest e6 39 I tried a few things like changing the passphrase, signing my key and gpg --s2k-digest-algo SHA512 --edit-key 23E9EB24 and nothing seems to work. How do I change the digest to SHA512? Thanks, Chuck 1. http://www.debian-administration.org/users/dkg/weblog/48 2, https://we.riseup.net/riseuplabs+paow/openpgp-best-practices ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
>> "Ingo" == Ingo Klöcker writes: > I interpreted "especially because of all which was lately revealed about > the NSA" No it was more of a general remark, concerning NSA malpractice of reading everybody's (uncrypted) email unconditionally. > So, your point/hope probably was that a government based CA > wouldn't have such a business model and would instead offer this > service gratis to the people (so that more people would be > protected from the NSA reading their mail). If this was your point > then apparently I didn't see it when I first read your message. That was *precisely* my point, thanks for clarifying it Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On Wed, 30 Oct 2013 11:58:56 +0100 Sam Tuke wrote: > If you want to help us, send your own statement about why GPG is important to > you. Please keep it less than or equal to 130 characters, so it can be used on > social networks. > > I'll collect them and pick the best for use now and in future. I send five variants (but the best is all of them :) ): I use GnuPG because I care and because I was taught it was a sin to open other people's letters. I use GnuPG because there was a country where people used to say "OZNA comes to know anything". I use GnuPG because I don't trade with my independence. I use GnuPG because I don't trade with my freedom. I use GnuPG because I take critical attitude towards possibility of abuse of my data. -- http://mr.flossdaily.org signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On 10/30/2013 06:58 AM, Sam Tuke wrote: If you want to help us, send your own statement about why GPG is important to you. Please keep it less than or equal to 130 characters, so it can be used on social networks. As a Debian user, I rely on GnuPG to ensure that the software I install hasn't been tampered with. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
