Robin Lynn Frank
Wed Jun 25 02:59:01 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Tuesday 24 June 2003 05:17 pm, David Shaw wrote:
> > Actually, cipher-algo, digest-algo and cert-digest-algo don't appear
> > in those documents (unless I've gone blind). Since they can be used
> > in gpg.conf, that would be the logical place to look.
> cipher-algo, digest-algo, and especially cert-digest-algo fall into
> the "esoteric" command category. They are not something that should
> be used except in very special circumstances, and those circumstances
> are usually rare.
I see, enforcing the use of RIPEMD160 and TWOFISH Instead of SHA1 and wha=
is esoteric. But then again most folks don't have to deal with a securi=
director who gets livid at the mention of SHA1 or AES. Well, come to thi=
of it, maybe it is esoteric ;-) (Hope he doesn't see this)
> > And I am still looking to find out if I can make these preferences
> > global, perchance in /etc/gpg.conf of something similar.
> There is no global gpg.conf. You can build custom preferences
> directly into the binary if you really want to, but this is
> discouraged. A global gpg.conf can be dangerous - it means that
> someone else could change your encryption details out from under you,
> and thus cause something unexpected or unwanted to happen.
> I'm not necessarily talking about a malicious attack (someone who
> could change /etc/gpg.conf could probably change your gpg.conf file
> anyway), but an change that is reasonable in a global gpg.conf may not
> be reasonable in your local gpg.conf and cause a problem.
Its a company-wide thing. I suppose I could use chattr and make them all=
> I think the OSX frontend does write gpg.conf (of course, you'd need to
> be running OSX). I wonder if someone wants to make a GnuPG module for
> the dotfile generator (http://www.blackie.dk/dotfile/).
> That said, the standard works-for-almost-anyone configuration is a
> *blank* gpg.conf. The default options built into the program are
> carefully chosen to be the right values for the majority of uses. A
> significant number of problems (both in use of GnuPG and in
> interoperability with other users) come when people change these safe
> GnuPG gives the user a significant amount of configurability. That's
> a good thing usually, but the other side of this is that GnuPG also
> gives the user a significant ability to shoot themselves in the foot.
I might need target practice ;-)
Robin Lynn Frank
Director of Operations
The need to do something is
inversely proportional to the
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----