Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Dev
RFC: Gentoo GPG key policies
 

Index | Next | Previous | View Flat


robbat2 at gentoo

Feb 18, 2013, 3:27 PM


Views: 2396
Permalink
RFC: Gentoo GPG key policies

Hi all,

I've been asked a couple of times in IRC and other mediums, about what
GPG key settings etc to use. I would not not call these final yet, but should
be fairly close to final.

This was originally intended to be part of the tree-signing GLEP series, but
was in one of the unpublished ones (GLEPxx+3 in the references). I guess if
there are no major objections to the below, I'll finalize them into the GLEP.
This will replace the conflicting information in:
http://devmanual.gentoo.org/general-concepts/manifest/index.html
http://www.gentoo.org/doc/en/gnupg-user.xml

The following is based on:
- NIST SP 800-57 recommendations
- Debian GPG documentation
- RiseUp.net OpenPGP best practices.

Bare minimum requirements:
--------------------------
1. SHA2-series output digest (SHA1 digests internally permitted).
"personal-digest-preferences SHA256"
2. root key & signing subkey of EITHER:
2.1. DSA, 1024 or 2048 bits
2.2. RSA, >=2048 bits
3. Key expiry: 5 years.

Recommendations:
----------------
1. SHA2-series digest on output & certifications:
"personal-digest-preferences SHA256"
"cert-digest-algo SHA256"
2. Root key type of RSA, 4096 bits
2.1. This may require creating an entirely new key.
3. Dedicated Gentoo signing subkey of EITHER:
3.1. DSA 2048 bits
3.2. RSA 4096 bits
4. Key expiry:
4.1. Root key: 3 year max.
4.2. Gentoo subkey: 1 year max.
5. Create a revocation certificate & store it hardcopy offsite securely
(it's about ~300 bytes).
6. Encrypted backup of your secret keys.
7. In your gpg.conf:
# include an unambiguous indicator of which key made a signature:
# (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
sig-notation issuer-fpr [at] notations=%g

Notes/FAQ:
----------
1. "Ok, so how do I follow this?"
http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
http://keyring.debian.org/creating-key.html
2. "How can I be really sure/paranoid enough?"
https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
3. Every 3-6 months, and/or before key expiry and major keysigning
events, you should update your key expiry date with the 'expire'
command (remember to do all subkeys). Put it on your calendar!
4. If you intend to sign on a slow alternative-arch, you may find adding
a DSA1024 subkey significantly speeds up the signing.
5. Can you give me a full ~/.gnupg/gpg.conf file?
===
# -- robbat2's recommendations:
keyserver pool.sks-keyservers.net
emit-version
default-recipient-self
# -- All of the below portion from the RiseUp.net OpenPGP best practices, and
# -- many of them are also in the Debian GPG documentation.
# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode
# long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid)
keyid-format 0xlong
# when multiple digests are supported by all recipients, choose the strongest one:
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# preferences chosen for new keys should prioritize stronger algorithms:
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
# If you use a graphical environment (and even if you don't) you should be using an agent:
# (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)
use-agent
# You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
verify-options show-uid-validity
list-options show-uid-validity
# include an unambiguous indicator of which key made a signature:
# (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
sig-notation issuer-fpr [at] notations=%g
# when making an OpenPGP certification, use a stronger digest than the default SHA1:
cert-digest-algo SHA256
===

--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2 [at] gentoo
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Subject User Time
RFC: Gentoo GPG key policies robbat2 at gentoo Feb 18, 2013, 3:27 PM
    Re: RFC: Gentoo GPG key policies robbat2 at gentoo Feb 18, 2013, 3:41 PM
    Re: RFC: Gentoo GPG key policies kentfredric at gmail Feb 18, 2013, 7:36 PM
    Re: RFC: Gentoo GPG key policies robbat2 at gentoo Feb 18, 2013, 8:09 PM
    Re: RFC: Gentoo GPG key policies dirtyepic at gentoo Feb 18, 2013, 8:20 PM
    Re: RFC: Gentoo GPG key policies dolsen at gentoo Feb 18, 2013, 8:46 PM
    Re: RFC: Gentoo GPG key policies eras at gentoo Feb 18, 2013, 10:51 PM
    Re: RFC: Gentoo GPG key policies kentfredric at gmail Feb 18, 2013, 11:38 PM
    Re: RFC: Gentoo GPG key policies antarus at gentoo Feb 19, 2013, 7:52 AM
    Re: RFC: Gentoo GPG key policies craig at gentoo Feb 19, 2013, 4:34 PM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Feb 19, 2013, 7:12 PM
            Re: RFC: Gentoo GPG key policies antarus at gentoo Feb 19, 2013, 10:32 PM
    Re: RFC: Gentoo GPG key policies robbat2 at gentoo Feb 20, 2013, 9:05 AM
    Re: RFC: Gentoo GPG key policies cloos at jhcloos Feb 20, 2013, 10:41 AM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Feb 20, 2013, 11:36 AM
    Re: RFC: Gentoo GPG key policies dilfridge at gentoo Feb 20, 2013, 12:22 PM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Feb 20, 2013, 1:31 PM
    Re: RFC: Gentoo GPG key policies aranea at aixah Feb 20, 2013, 12:38 PM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Feb 20, 2013, 1:37 PM
    Re: RFC: Gentoo GPG key policies aranea at aixah Feb 20, 2013, 1:55 PM
    Re: RFC: Gentoo GPG key policies mgorny at gentoo Feb 21, 2013, 1:09 AM
        Re: RFC: Gentoo GPG key policies hwoarang at gentoo Feb 21, 2013, 1:41 AM
    Re: RFC: Gentoo GPG key policies grozin at gentoo Feb 26, 2013, 2:10 AM
    Re: RFC: Gentoo GPG key policies aranea at aixah Feb 27, 2013, 7:12 AM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Feb 27, 2013, 11:04 AM
    Re: RFC: Gentoo GPG key policies antarus at gentoo Feb 27, 2013, 12:27 PM
    Re: RFC: Gentoo GPG key policies grozin at gentoo Mar 13, 2013, 8:50 PM
        Re: RFC: Gentoo GPG key policies jlec at gentoo Mar 14, 2013, 12:19 AM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Mar 14, 2013, 2:12 AM
            Re: RFC: Gentoo GPG key policies zmedico at gentoo Mar 14, 2013, 8:26 AM
                Re: RFC: Gentoo GPG key policies mgorny at gentoo Mar 14, 2013, 9:14 AM
                    Re: RFC: Gentoo GPG key policies zmedico at gentoo Mar 14, 2013, 9:30 AM
                        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Mar 14, 2013, 5:58 PM
                    Re: RFC: Gentoo GPG key policies robbat2 at gentoo Mar 14, 2013, 6:01 PM
            Re: RFC: Gentoo GPG key policies grozin at gentoo Mar 21, 2013, 11:37 PM
                Re: RFC: Gentoo GPG key policies pchrist at gentoo Mar 22, 2013, 1:36 AM
                    Re: RFC: Gentoo GPG key policies grozin at gentoo Mar 22, 2013, 1:47 AM
    Re: RFC: Gentoo GPG key policies mikemol at gmail Mar 14, 2013, 7:32 PM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Mar 14, 2013, 8:18 PM
    Re: RFC: Gentoo GPG key policies mikemol at gmail Mar 14, 2013, 8:33 PM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Mar 14, 2013, 10:12 PM
    Re: RFC: Gentoo GPG key policies mgorny at gentoo Mar 14, 2013, 9:44 PM
        Re: RFC: Gentoo GPG key policies robbat2 at gentoo Mar 14, 2013, 10:01 PM
    Re: RFC: Gentoo GPG key policies dabbott at gentoo Mar 22, 2013, 7:19 AM

  Index | Next | Previous | View Flat
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.