'sign (and cert)' or just 'cert' on a master key with subkeus

Damien Goutte-Gattat dgouttegattat at incenp.org
Mon Jul 31 18:38:09 CEST 2017

On 07/31/2017 05:49 PM, Dirk-Willem van Gulik wrote:
> For what it is worth - the various best practices at `riseup.net’[1] seem to strike a good middle ground.

For what it is worth, I disagree.

The main problem I have with that document is that it implies the user 
should care about a lot of details that he actually should not have to 
care about, especially with a decently recent GnuPG version.


* Starting from GnuPG 2.1.16, the user has nothing to do to use the SKS 
keyserver pool, that's already the default. There's no need to manually 
download the CA certificate for the pool, either, because it is now 
included directly in GnuPG.

* There is no need to "ensure that all keys are refreshed through the 
keyserver you have selected"--the honor-keyserver-url option is already 
disabled by default.

* There is no need to generate a revocation certificate. GnuPG already 
does that when you create a new keypair. You need to do it yourself only 
if you generated your key some years ago, before automatic generation of 
revocation certificates was implemented (i.e. before GnuPG 2.1).

* There is no nothing to do to "have a separate subkey for encryption". 
When creating a new keypair, GnuPG automatically creates a primary key 
for signing and certifying, *and* a subkey for encryption. (I do not 
remember when GnuPG started to do that, but I am pretty sure this is not 
new at all.)

* Unless you generated your key a long time ago, you absolutely do not 
have to "make sure your key is OpenPGPv4". No recent or even 
not-so-recent version of GnuPG will ever generate a v3 key.

* Likewise, there is no need to check that self-signatures do not use 
MD5, unless your keys are *very old*.

* Likewise for SHA-1. I think GnuPG stopped using SHA-1 as the default 
hash algorithm sometimes in 2009.

So all of those advices could be replaced by a single one: "Use a recent 
GnuPG version. Ideally, use the most recent version available. At the 
very least, do not use a decade-old version."

The problem with recommanding unnecessary steps is that they will 
confuse the beginner and make him think that GnuPG is more difficult to 
use than it already is.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170731/a1da8aad/attachment.sig>

More information about the Gnupg-users mailing list