summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichał Górny <mgorny@gentoo.org>2018-07-07 07:52:08 +0200
committerMichał Górny <mgorny@gentoo.org>2018-07-29 22:07:26 +0200
commitfd51ab71f9ae4493ea25f012d622e0c92e0e1d82 (patch)
tree6ef0e32bcf6f1901335f93df8e7571856f29cc75
parentglep-0063: Remove whitespace from LDAP field (diff)
downloadglep-fd51ab71f9ae4493ea25f012d622e0c92e0e1d82.tar.gz
glep-fd51ab71f9ae4493ea25f012d622e0c92e0e1d82.tar.bz2
glep-fd51ab71f9ae4493ea25f012d622e0c92e0e1d82.zip
glep-0063: Remove gpg.conf bits
Remove the gpg.conf bits from recommended and minimal specification. Apparently they are seriously obsolete and worse than the modern defaults. While at it, editorial corrections to 'SHA2' bit. Requested-by: Richard Yao <ryao@gentoo.org>
-rw-r--r--glep-0063.rst60
1 files changed, 9 insertions, 51 deletions
diff --git a/glep-0063.rst b/glep-0063.rst
index 37b1f4d..84d87d2 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -42,6 +42,9 @@ v2
The ``gpgfingerprint`` LDAP field has been altered to remove optional
whitespace.
+ The ``gpg.conf`` contents have been removed as they were seriously
+ outdated and decreased security over the modern defaults.
+
v1.1
The recommended RSA key size has been changed from 4096 bits
to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
@@ -73,10 +76,8 @@ This section specifies obligatory requirements for all OpenPGP keys used
to commit to Gentoo. Keys that do not conform to those requirements can
not be used to commit.
-1. SHA2-series output digest (SHA1 digests internally permitted),
- 256bit or more::
-
- personal-digest-preferences SHA256
+1. SHA-2 series output digest (SHA-1 digests internally permitted),
+ at least 256-bit.
2. Signing subkey that is different from the primary key, and does not
have any other capabilities enabled
@@ -102,58 +103,15 @@ The developers should follow those practices unless there is a strong
technical reason not to (e.g. hardware limitations, necessity of replacing
their primary key).
-1. Copy ``/usr/share/gnupg/gpg-conf.skel`` to ``~/.gnupg/gpg.conf``, append
- the following block::
-
- keyserver pool.sks-keyservers.net
-
- emit-version
-
- default-recipient-self
-
- # -- All of the below portion from the RiseUp.net OpenPGP best practices, and
- # -- many of them are also in the Debian GPG documentation.
-
- # when outputting certificates, view user IDs distinctly from keys:
- fixed-list-mode
-
- # long keyids are more collision-resistant than short keyids (it's trivial to make a key
- # with any desired short keyid)
- # NOTE: this breaks kmail gnupg support!
- keyid-format 0xlong
-
- # when multiple digests are supported by all recipients, choose the strongest one:
- personal-digest-preferences SHA512 SHA384 SHA256 SHA224
-
- # preferences chosen for new keys should prioritize stronger algorithms:
- default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
-
- # If you use a graphical environment (and even if you don't) you should be using an agent:
- # (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)
- use-agent
-
- # You should always know at a glance which User IDs gpg thinks are legitimately bound to
- # the keys in your keyring:
- verify-options show-uid-validity
- list-options show-uid-validity
-
- # include an unambiguous indicator of which key made a signature:
- # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
- # (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html)
- sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
-
- # when making an OpenPGP certification, use a stronger digest than the default SHA1:
- cert-digest-algo SHA256
-
-2. Primary key and the signing subkey are both of type RSA, 2048 bits
+1. Primary key and the signing subkey are both of type RSA, 2048 bits
(OpenPGP v4 key format or later)
-3. Key expiration renewed annually to a fixed day of the year
+2. Key expiration renewed annually to a fixed day of the year
-4. Create a revocation certificate & store it hardcopy offsite securely
+3. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
-5. Encrypted backup of your secret keys.
+4. Encrypted backup of your secret keys.
Gentoo LDAP
===========