'sign (and cert)' or just 'cert' on a master key with subkeus
dgouttegattat at incenp.org
Mon Jul 31 18:38:09 CEST 2017
On 07/31/2017 05:49 PM, Dirk-Willem van Gulik wrote:
> For what it is worth - the various best practices at `riseup.net’ seem to strike a good middle ground.
For what it is worth, I disagree.
The main problem I have with that document is that it implies the user
should care about a lot of details that he actually should not have to
care about, especially with a decently recent GnuPG version.
* Starting from GnuPG 2.1.16, the user has nothing to do to use the SKS
keyserver pool, that's already the default. There's no need to manually
download the CA certificate for the pool, either, because it is now
included directly in GnuPG.
* There is no need to "ensure that all keys are refreshed through the
keyserver you have selected"--the honor-keyserver-url option is already
disabled by default.
* There is no need to generate a revocation certificate. GnuPG already
does that when you create a new keypair. You need to do it yourself only
if you generated your key some years ago, before automatic generation of
revocation certificates was implemented (i.e. before GnuPG 2.1).
* There is no nothing to do to "have a separate subkey for encryption".
When creating a new keypair, GnuPG automatically creates a primary key
for signing and certifying, *and* a subkey for encryption. (I do not
remember when GnuPG started to do that, but I am pretty sure this is not
new at all.)
* Unless you generated your key a long time ago, you absolutely do not
have to "make sure your key is OpenPGPv4". No recent or even
not-so-recent version of GnuPG will ever generate a v3 key.
* Likewise, there is no need to check that self-signatures do not use
MD5, unless your keys are *very old*.
* Likewise for SHA-1. I think GnuPG stopped using SHA-1 as the default
hash algorithm sometimes in 2009.
So all of those advices could be replaced by a single one: "Use a recent
GnuPG version. Ideally, use the most recent version available. At the
very least, do not use a decade-old version."
The problem with recommanding unnecessary steps is that they will
confuse the beginner and make him think that GnuPG is more difficult to
use than it already is.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users