How to "activate" gpg.conf entries?
Robert J. Hansen
rjh at sixdemonbag.org
Wed Jul 11 17:11:44 CEST 2012
On 7/11/2012 10:09 AM, Sam Smith wrote:
> 1) to use stronger hash when supported by others, I added this line =
> *personal-digest-preferences SHA256*
I would suggest "SHA256 RIPEMD160", myself. There are no known attacks
on RIPEMD160, and if you're in a situation that requires the use of a
160-bit hash it will allow you to fall back to a still-trusted hash
rather than SHA-1.
> 2) to use the SHA256 hash when I Sign a message, I added this line
> =*cert-digest-algo SHA256*
That's not what cert-digest-algo does.
> 3) to change what is used when a new key is generated I added this line
> = *default-preference-list SHA256 SHA384 SHA512 SHA224 AES256 AES192 AES
> CAST5 ZLIB BZIP2 ZIP Uncompressed*
There's nothing technically wrong with this, but I'd advise doing
something different. Remember, the preflist on a certificate is
(somewhat) misnamed: it's meant to show both capabilities *and*
preferences. For instance, you can use Blowfish and Twofish and
Camellia256 and whatnot. These are all believed to be safe, so there's
really no reason to omit them from your certificate prefs.
Push SHA-1 to the back of your hash prefs, certainly -- but if you don't
have a strong reason to omit believed-safe algorithms from your pref
list, I would consider it best to include them.
> What procedure should I now do to "activate" or put into effect these
> preferences? Once done, is there a way to verify that these preferences
> are in effect, how can I verify?
Sign a message and send it to the list.
Don't forget to add "enable-dsa2" to your gpg.conf file *if* (a) you're
using a DSA-1k signing key and (b) you want to be able to use truncated
SHA256 with it.
More information about the Gnupg-users
mailing list