Documentation blues

Robin Lynn Frank rlfrank@paradigm-omega.com
Wed Jun 25 02:59:01 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On Tuesday 24 June 2003 05:17 pm, David Shaw wrote:

> > Actually, cipher-algo, digest-algo and cert-digest-algo don't appear
> > in those documents (unless I've gone blind).  Since they can be used
> > in gpg.conf, that would be the logical place to look.
>
> cipher-algo, digest-algo, and especially cert-digest-algo fall into
> the "esoteric" command category.  They are not something that should
> be used except in very special circumstances, and those circumstances
> are usually rare.
>
I see, enforcing the use of RIPEMD160 and TWOFISH Instead of SHA1 and wha=
tever=20
is esoteric.   But then again most folks don't have to deal with a securi=
ty=20
director who gets livid at the mention of SHA1 or AES.  Well, come to thi=
nk=20
of it, maybe it is esoteric ;-) (Hope he doesn't see this)

> > And I am still looking to find out if I can make these preferences
> > global, perchance in /etc/gpg.conf of something similar.
>
> There is no global gpg.conf.  You can build custom preferences
> directly into the binary if you really want to, but this is
> discouraged.  A global gpg.conf can be dangerous - it means that
> someone else could change your encryption details out from under you,
> and thus cause something unexpected or unwanted to happen.
>
> I'm not necessarily talking about a malicious attack (someone who
> could change /etc/gpg.conf could probably change your gpg.conf file
> anyway), but an change that is reasonable in a global gpg.conf may not
> be reasonable in your local gpg.conf and cause a problem.
>
Its a company-wide thing.  I suppose I could use chattr and make them all=
=20
immutable.

>
> I think the OSX frontend does write gpg.conf (of course, you'd need to
> be running OSX).  I wonder if someone wants to make a GnuPG module for
> the dotfile generator (http://www.blackie.dk/dotfile/).
>
> That said, the standard works-for-almost-anyone configuration is a
> *blank* gpg.conf.  The default options built into the program are
> carefully chosen to be the right values for the majority of uses.  A
> significant number of problems (both in use of GnuPG and in
> interoperability with other users) come when people change these safe
> defaults.
>
> GnuPG gives the user a significant amount of configurability.  That's
> a good thing usually, but the other side of this is that GnuPG also
> gives the user a significant ability to shoot themselves in the foot.
>
I might need target practice ;-)
- --=20
Robin Lynn Frank
Director of Operations
Paradigm-Omega, LLC
    ******
The need to do something is
inversely proportional to the
time available.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE++PQOmq9pLlRaCV8RA692AJ9vhXVE0mRIu91ZJ/ixbWmKae4snACfQFdZ
5bAxVJHx5K4grsZLNEBeMXs=3D
=3D5phY
-----END PGP SIGNATURE-----