Revisions to the GNU Privacy Handbook
mezzanine at Safe-mail.net
mezzanine at Safe-mail.net
Fri Dec 10 13:14:20 CET 2010
The current issue of the GNU Privacy Handbook appears to date back to the year 1999. Out of interest, I obtained a copy of the handbook and edited it with the hope of making it somewhat more up-to-date. In particular, the revisions include such things as generating RSA keys (from what one remembers, in 1999 RSA encryption was subject to licensing restrictions that probably prevented it from being widely implemented in the GnuPG software), 2048-bit keys for public-key encryption (as opposed to 1024-bit keys), the deprecation of the SHA-1 hash algorithm, graphical front-ends for the GnuPG software, and the difference between fully valid and marginally valid keys (I am still not sure as to whether the path length limit of five steps applies in all cases.) Some URLs have also been updated.
The diff output below may be useful for generating the revised version of the handbook from the current version (i.e. the version at the http://www.gnupg.org/gph/en/manual.html URL.)
> ><BR />
> Last modified on December 10, 2010 by Richard</P
< gpg (GnuPG) 0.9.4; Copyright (C) 1999 Free Software Foundation, Inc.
< This program comes with ABSOLUTELY NO WARRANTY.
< This is free software, and you are welcome to redistribute it
< under certain conditions. See the file COPYING for details.
> gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
< (1) DSA and ElGamal (default)
> (1) DSA and Elgamal (default)
< (4) ElGamal (sign and encrypt)
> (5) RSA (sign only)
< Option 4<A
> Option 5 creates a single RSA
> keypair usable only for making signatures.
> In all cases it is possible to later add additional subkeys for encryption
> and signing.
> <B>Note:</B> Although it is not the default choice, the recommended choice for most circumstances is to create a signature-only RSA keypair via Option 5 and to afterwards add an RSA subordinate keypair for encryption<A
< > creates a single ElGamal
< keypair usable for both making signatures and performing encryption.
< In all cases it is possible to later add additional subkeys for encryption
< and signing.
< For most users the default option is fine.</P
< key may be of any size.
> key or an RSA key may be of any size.
< >About to generate a new ELG-E keypair.
< minimum keysize is 768 bits
< default keysize is 1024 bits
< highest suggested keysize is 2048 bits
< What keysize do you want? (1024)</PRE
> >RSA keys may be between 1024 and 4096 bits long.
> What keysize do you want? (2048)</PRE
< Modern examples of symmetric ciphers include 3DES, Blowfish, and IDEA.</P
> Modern examples of symmetric ciphers include 3DES, Blowfish, Rijndael,
> and IDEA.</P
< Blowfish, and IDEA
> Blowfish, Rijndael, and IDEA
< possible keys.
> possible keys. 2<SUP
> > is 340,282,366,920,938,463,463,374,607,431,768,211,456 keys.
< the universe to find the key.</P
> the universe to find the key. (Some symmetric ciphers, such as Rijndael,
> can also use keys that are greater in size than 128 bits.)</P
< technology public keys with 1024 bits are recommended for most purposes.</P
> technology public keys with 2048 bits are recommended for most purposes.</P
< algorithm that works as just described.
< DSA is the primary signing algorithm used in GnuPG.</P
> algorithm that works as just described.</P
> for an RSA key, <TT
< The subkey may be a DSA signing key, and encrypt-only ElGamal
< key, or a sign-and-encrypt ElGamal key.
> The subkey may be a DSA signing key, an encrypt-only ElGamal
> key, a sign-only RSA key, or an encrypt-only RSA key.
< Formerly, a key was considered valid only if you signed it personally.
> Formerly, a key was considered fully valid only if you signed it personally.
< > is considered valid
> > is considered fully valid
< >it is signed by enough valid keys, meaning
> >it is signed by enough fully valid keys, meaning
< >it has been signed by three marginally trusted keys; and</P
> >it has been signed by at least three marginally trusted keys; and</P
< The path length, number of marginally trusted keys required, and number
> A key <I
> > is marginally valid if it has been signed by at least one
> but less than three fully valid keys that are marginally trusted. In such a case, the path of signed keys from <I
> > back to your own key is subject to the same length limit of five steps that was previously mentioned. A
> key with only marginal validity, even if fully trusted, does not count as
> a valid key for the purpose of signing other keys.</P>
> <P>The path length, number of marginally trusted keys required, and number
< Finally, as of 1999, laws regarding digital encryption, and in particular
> Finally, as of 2010, laws regarding digital encryption, and in particular
< is currently being debated by many national governments.</P
> are currently being debated by many national governments.</P
< key will be a DSA key, and the subkeys will be ElGamal keys.</P
> key will be a DSA key, and the subkeys will be ElGamal keys. Though it is not the default
> option, an RSA master key is recommended as a more secure alternative to a DSA key<A
< >ElGamal keys, on the other hand, may be of any size.
> >ElGamal keys and RSA keys, on the other hand, may be of any size.
< 1024 bits is thus the recommended key size.
> 2048 bits is thus the recommended key size.
> <P>If you are interested in graphical front-ends for GnuPG, the MacGPG and GPG4Win projects may be of interest. The home page for the MacGPG project is located at <A HREF="http://macgpg.sourceforge.net">http://macgpg.sourceforge.net</A> on the Web and the homepage for the GPG4Win project is located at <A HREF="http://gpg4win.org">http://gpg4win.org</A> on the Web.</P
< >Option 3 is to generate an ElGamal keypair that is
< not usable for making signatures.</P
> >The DSA algorithm may use the SHA-1 hash function. Due to cryptographic weaknesses that have been found in SHA-1, RSA keys are a recommended alternative to DSA keys. It is also recommended that GnuPG be configured to prefer the SHA-256 hash function over SHA-1. For more information about this issue, please see the <A HREF="http://www.debian-administration.org/users/dkg/weblog/48">HOWTO prep for migration off of SHA-1 in OpenPGP</A> <<A HREF="http://www.debian-administration.org/users/dkg/weblog/48">http://www.debian-administration.org/users/dkg/weblog/48</A>> weblog entry at <A HREF="http://www.debian-administration.org">Debian Administration</A>.</P
\ No newline at end of file
More information about the Gnupg-doc