New user needs some help

Suspekt suspekt at gmx.de
Thu Jun 5 11:44:49 CEST 2014 

I just commented on things that I think you may change. I am no 
GPG-Master though. Note that there are people on this list with far more 
expertise than I have.

Am 05.06.2014 09:26, schrieb Cpp:
> - Create a 4096-bit RSA certification key with unlimited expiry
Set an expiration date. You can extend it any time, even after it has 
expired. In a worst case situation (keys and backups are lost) the key 
will not be valid for eternity.
> - Generate a revocation key, put it on the encrypted USB stick
Store the revocation certificate separately. Again, in a worst case (Key 
lost, backup lost) you can still revoke using the certificate. Some 
people print it out and store it at at their bank/safe place.

> And my gpg.conf (on the PC where the key is generated as well as on
> the laptop) looks like this:
> --------------------------------------------------
> # Keyserver settings
> keyserver hkps://hkps.pool.sks-keyservers.net
Dont know which OS you are using but this won't work if you're using 
Gpg4win on windows. It cant handle the hkps protocol.

> cert-digest-algo SHA512
This will you incompatibility with many (I think all) versions of PGP. 
Maybe its not relevant to you if you mainly communicate with people 
using GPG.


> A) Is my key generation procedure okay? Am I missing any critical
> steps? I mostly followed one of the articles I linked above. Are these
> keys (with additional signing subkey) compatible with other OpenPGP
> software?
see above

> C) What is the purpose of this line "sig-notation
> issuer-fpr at notations.openpgp.fifthhorseman.net=%g" in the config file?
> I can't seem to understand it. Why was it proposed? Is it compatible?
I'm not sure about this option and I don't really know what it means. 
Just leave it out.

> E) I noticed this: cert-digest-algo SHA512
> The GnuPG 2 manual (pg. 51) warns that if this is set to a value that
> other OpenPGP implementations don't support, some users will be unable
> to use my key signatures. Personally I don't mind using strong hashes,
> but is this going to be a problem? I have no idea what other OpenPGP
> implementations support. GnuPG is the only one I know about.
There are commercial implementations. The most known is probably PGP 
(The Original Software created by Phil Zimerman). Check it at Wikipedia.

> F) I like twofish. Should I add it to the list of my personal preferences?
Why not? If your GPG version supports it. Check with "gpg --version"

> G) I have read some complaints from users about keys that use long
> signature hashes like sha512. In particular this makes emails
> difficult to read because some discussions can get crowded with long
> signatures, which is rather irritating to read and navigate. Is it
> possible to use sha256 for email signatures, and sha512 for everything
> else i.e. signing files. I use Thunderbird with Enigmail on Linux.
Don't know, just use PGP/MIME instead of PGP/Inline. This will keep the 
hash separated from the text.
> H) Is it okay to generate PGP keys on a live linux CD? I mean is there
> sufficient entropy present? What can I do to introduce some more noise
> into the system? Some tutorials suggest moving the mouse, others tell
> me to use IO-heavy tasks i.e. the "find" command. Comments?
I would say it's best practice to use linux live cd and stay offline!
Move the mouse, open a texfile and beat your keyboard :) GPG will tell 
you if there is not enough entropy.

Daniel

More information about the Gnupg-users mailing list