Best Practices
Robert J. Hansen
rjh at sixdemonbag.org
Sun Dec 12 08:58:12 CET 2010
On 12/12/2010 2:10 AM, David Tomaschik wrote:
> In my gpg.conf, I have (other than keyserver/no-greeting/etc. settings):
> personal-digest-preferences SHA512
> cert-digest-algo SHA512
>
> Are there any other settings (or changes to these) that would be
> considered more "forward looking"?
personal-digest-prefs is probably a bit off. For instance, if for any
reason SHA512 is unavailable it will degrade to SHA-1, which you
probably don't want. It's generally best to include all the algorithms
you'll accept, in whatever order you like. E.g.:
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1
This way you have a natural degradation in hash preferences: rather than
immediately degrading to SHA-1, it gives you more options to keep on
using strong hashes.
More information about the Gnupg-users
mailing list