Docs central, with 'Email Self-Defence'

Suspekt suspekt at gmx.de
Sun Jun 8 18:51:39 CEST 2014


Am 08.06.2014 18:28, schrieb Peter Lebbing:
> On 08/06/14 17:49, Suspekt wrote:
>> I have some links about key creation and gpg in general that I would provide of
>> course.
>
> There is a /lot/ of bad advice out there; I'd be wary of linking to it.
I understand that. But those links are out there and just by searching 
on the internet you'll find a lot of some, because they seem to quite 
popular on google... Maybe start a "bad practice" list? naming and shaming?


> There is no single best way, a lot of bad ways, and a lot of clashing outspoken
> opinions.
>
> In my humble opinion, the best advice is: stick to the defaults, they are there
> for a reason. Unless you have a specific threat model, in which case, good for
> you, work with that, not your gut feeling.
I really like the idea of taking the threat model approach. The problem 
I see: What if I have a thread model with needs beyonds defaults? Say I 
assume that someone could launch a targeted attack, where should I look 
up best practices then?

I recently started to dive into gpg and find it very hard to find 
reliable information between "just stick to the defaults" and "look up 
rfc4880". Looking at the gnupg homepage I can choose between 1-4 howtos, 
a 158 page manual, the man page, the gnu privacy handbook and the gnu FAQ.

I think that is part of the reason for many blog posts and some of the 
questions on this mailinglist: based on the official documentations it's 
kind of hard to do the step between "beginner" and "master of the gpg 
universe".




More information about the Gnupg-users mailing list