please change the default hashing algorithm

Ben McGinnes ben at adversary.org
Wed Jul 15 01:29:19 CEST 2015 

On 15/07/2015 8:23 am, Robert J. Hansen wrote:
>> Yeah, but that's what gets generated when you override the homedir
>> to an empty directory that doesn't have a gpg.conf file at all.
>> Hence that is the default.
> 
> That's the default for certificate preferences (the preferences that get
> placed on a newly-generated certificate).  That's not the same thing as
> the default personal-*-preferences.
>
> They may be the same, they may be different -- but internally to GnuPG,
> they are two different sets of preferences, so you can't point to
> certificate preferences and say "this is what's used as default
> personal-*-preferences".

I'd be surprised if they weren't the same, but on the other hand it's
been so long since I've seen a default gpg.conf file that I really
can't be sure.  Still, a quick skim through gpg.c indicates that the
default config settings are generated by gpg if there isn't a gpg.conf
file when it is first invoked.  So if cipher preferences are not set
on the command line then that first key will end up with the default
settings either way.

Obviously I was far too lazy to try passing cipher preferences on the
command line.  ;)

>> Really?  I distinctly recall you recommending TWOFISH to me on 
>> gnupg-users some time ago
> 
> If I did, I was absolutely in error to do so, and you should've known
> better than to believe me!
> 
> I like TWOFISH for reasons that are pretty much irrelevant here.  It's
> enough to say that I think TWOFISH is a better choice for me.  Those
> last two words are important.  My reasons probably don't apply to you.
> After all -- you're not me.

Good thing I based my decision on other things then.  Fear not, your
suggestion only got me started in looking into why the defaults were
the defaults and whether or not they were best for me.

> Further, I'm not a cryppie.  I don't know where people get the idea
> that I am one.  A decade ago in graduate school I did some
> graduate-level work with cryptologic research, but I haven't kept
> current since then.

I'm not sure where that theory comes from either.  I just tend to do
what I always do when it comes to the more arcane aspects of any tech;
research the positions of whoever the top people are in that field,
and find use cases that are close(-ish) to my needs, then make a best
guess.  It usually works out, even with the voodoo of cryptography.

> Nobody should trust the judgment of an ex-cryppie who hasn't kept
> current over the judgment of the professional cryptologic community.
> *Nobody*.  If you think my commentary on cryptology is interesting,
> I'm happy.  If you think it's definitive, you're wrong.  :)

I don't even think Bruce Schneier's commentary is definitive, but I do
pay attention to what he says.  ;)

I also pay attention to a more local friend and former colleague who,
in his misspent youth, may have worked for a certain directorate
around these parts and has been known, over a glass of single malt, to
mention his own preferences in some of these things.


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150715/3e2c1177/attachment-0001.sig>

More information about the Gnupg-devel mailing list