FAQ October 2019 update

[Robert J. Hansen]

Let's start with the most important thing:

> I am sorry for having to write these harsh comments

I didn't find your comments harsh, but thank you for being considerate.  :)

>> * Every reference to the SKS keyserver network now points to
>> keys.openpgp.org.  Reason: the SKS attacks a few months ago.
> 
> I have to object against this change.  The SKS server network is still
> useful and definitely more useful than an non-matured and  centralized
> keyserver.

I can't agree with this.  SKS is effectively dead.  Older GnuPG
installations can still get utterly wedged if they pull down a poisoned
certificate from SKS.  There are a *lot* of these older installations
out there in the wild, and what we suggest to them should not lead them
into wedging their system.

Should they update?  Yes.  Is the problem mitigated by an update?  Yes.
 But will they?  Probably not before wedging their keyring.  Given that
high-profile people in the community have had our certificates defaced,
it's possible someone will say "I want to ask dkg a question," pull down
his cert, get wedged, and... etc.

I think it's dangerous to our users to continue to recommend SKS in the
face of a well-known poisoning problem.

> suggesting the use of that specific keyserver is a no-go.

I'm fine with this.  My major concern is removing SKS recommendations.

>> * All references to 2048-bit crypto are updated to refer to 3072-bit
>> crypto.  Reason: GnuPG now defaults to 3072-bit RSA.
> 
> Okay.   But this
> 
>   +your certificate uses 2048-bit keys we recommend retiring them and
>   +migrating to a new keypair of at least 3072 bits length.  You can do
> 
> is a no-go because we will have a hard to time to convice people that
> this is just a geek suggestion and that for almost all general use of
> gpg the existsing keys are still fine.  Actually 2k keys are still
> allowed in Germany for restricted communication and there is no need for
> an immediate rush to 3k.

I agree there is no immediate rush: the US guidance says they're safe
until 2030.  But for many years we advised people to use 2048-bit keys,
now we're generating 3072-bit keys by default.  At the very least the
old guidance on 2048-bit keys needs to be dropped.  Whether we explain
it away as "we're now using 3072-bit keys by default, in order to get a
long head start on 2048's obsolescence" or "we're going to be moving to
ECC in the near future" matters little to me, but we need to explain the
shift away from 2048.

> I also wonder why you removed this
> 
>   -If you need more security than RSA-2048 offers, the way to go would be
>   -to switch to elliptical curve cryptography — not to continue using
>   -RSA.

Because it raises an immediate question of, "then why does GnuPG default
to RSA-3072, if the FAQ's guidance is past -2048 to use ECC?"  The FAQ's
statement collides with what GnuPG actually does.

> That is a matter of minutes.  I only had a brief look at it but I can't
> see that your changes are subject to frequently asked questions here.

There were three major changes: keyservers, key lengths, and an email
address.  All three existed in prior iterations of the FAQ.  If you
think they should be dropped, I'm all for that conversation, but please
keep in mind that I'm not adding new subjects to the FAQ: in this pass I
was updating existing content.