Documentation blues

David Shaw dshaw@jabberwocky.com
Wed Jun 25 03:56:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jun 24, 2003 at 05:59:51PM -0700, Robin Lynn Frank wrote:
> On Tuesday 24 June 2003 05:17 pm, David Shaw wrote:
> 
> > > Actually, cipher-algo, digest-algo and cert-digest-algo don't appear
> > > in those documents (unless I've gone blind).  Since they can be used
> > > in gpg.conf, that would be the logical place to look.
> >
> > cipher-algo, digest-algo, and especially cert-digest-algo fall into
> > the "esoteric" command category.  They are not something that should
> > be used except in very special circumstances, and those circumstances
> > are usually rare.
> >
> I see, enforcing the use of RIPEMD160 and TWOFISH Instead of SHA1
> and whatever is esoteric.  But then again most folks don't have to
> deal with a security director who gets livid at the mention of SHA1
> or AES.  Well, come to think of it, maybe it is esoteric ;-) (Hope
> he doesn't see this)

Pretty esoteric :)

The danger in forcing an algorithm is that you don't know if the
recipient can handle it.  GnuPG does quite a bit of work to ensure
that it never picks an algorithm that the recipient can't handle, and
will warn you if you force the use of an algorithm the recipient can't
handle.  Of course, if you are only communicating within your company
then I guess you do know that the recipient can handle it.  Outside of
your company that isn't necessarily true since the only guaranteed
available algorithms in OpenPGP are the 3DES cipher and the SHA1
digest.

A safer way to ecourage the use of an algorithm is to set:

  personal-cipher-preferences s10

That means "use TWOFISH if at all possible, and 3DES if not".  It
doesn't guarantee that you use TWOFISH at all times, but it does
guarantee that you'll never encode a message in a way that a recipient
can't handle.

The same thing can be done for digests:

  personal-digest-preferences h3

Meaning: "use RIPEMD/160 if possible, and SHA1 if not".

Yes, the syntax of "s10" or "h3" is not exactly intuitive.  In 1.4
(and in 1.3.x now), you can use the strings "twofish" or "ripemd160".

Frankly, the personal-xxx-preferences options are esoteric as well
since by default GnuPG always picks an algorithm that is usable by all
recipients.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE++QGC4mZch0nhy8kRAktRAKCR/Omk6FJEsnC54L+15/1wJ98EDwCgtn6V
ifwPXWI0ValJc03FJ3iV+Dk=
=ILRe
-----END PGP SIGNATURE-----