riseup.net OpenPGP Best Practices article

Robert J. Hansen rjh at sixdemonbag.org
Tue Jun 24 17:39:00 CEST 2014

> Just for the records: _I_ do not consider the use of a 4096 bit RSA key
> and a preference for SHA-512 a best practice.

I'll go one step further: I think the article is going to do more harm
than good.

When young people ask me where to begin programming, I tell them to just
begin.  Don't worry about whether Javascript is better than Python or C
or anything else: just find something they think is neat and start.  The
most important thing for them is to begin, and the second-most important
thing is for them to finish what they begin.  Only later, once they're
well and truly on their way, should they start worrying about technical

The same applies here.  The most important thing in using GnuPG is that
people begin using it; the second-most important thing is that they keep
on using it.  Guides such as these may ultimately do more harm than
good, in that they tend to lead new users into thinking they *have* to
do all these things, daunting and maybe even scary things (and let's be
clear: there's a lot of opaque terminology and technical jargon there!),
in order to effectively use GnuPG.

Which just isn't true.

The best practice for GnuPG: --gen-key and find a plugin for your email
client.  Everything after that needs to be relegated to an advanced
class.  There's nothing wrong with advanced material: advanced material
is great.  But let's not go about scaring newcomers by making them think
they need to do and understand all of that.

More information about the Gnupg-users mailing list