-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01/12/2015 02:34 AM, Brian Dolbec wrote: > On Sun, 11 Jan 2015 12:06:18 -0500 Rich Freeman <ri...@gentoo.org> > wrote: > >> On Sun, Jan 11, 2015 at 11:43 AM, Brian Dolbec >> <dol...@gentoo.org> wrote: >>> Of the remaining devs, only 16 keys total pass the GLEP 63 >>> requirements. More info can be found in the First-Use wiki >>> page [4] >> >> If you just create a gpg key with 5yr expiry and >> otherwise-default options, typing a larger number into the >> keysize prompt, do you get a compliant key? The guides talk >> about editing your gpg.conf, and it looks like the tool does it >> for you, but is any of that necessary to generate a compliant >> key? I'd prefer raw gpg commands and not a script that automates >> everything. >> >> Would this work: gpg --gen-key option 2 - DSA and Elgamal size >> 3072 (the max) expires 5y Enter your name, email, and >> passphrase. >> >> I've been putting off generating a new key until this all >> settles down, and would prefer to mess with it as infrequently as >> possible. Most likely I'll just switch to Gentoo-dedicated key >> for the tree. >> > > Wait for Kristian to reply about the algorythm choice.
GnuPG defaults to 2048 bit RSA primary key with 2048 bit RSA encryption subkey. DSA and ElGamal have not been the default for a while for a few reasons. For those interested in a bit more technical details read further. One issue with DSA/ElGamal is the requirement for a random k value while signing/encrypting, i.e. there is a requirement for a random source for all signatures and encryption, not only while generating the key, and the lack of proper randomness can cause private key leakage (in the case of signatures). This can be mitigated by the use of RFC6979 " Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)" , however this is only introduced in libgcrypt 1.6. Another issue is that DSA key sizes > 1024 bits are part of what is commonly referred to as DSA2-standard, so this is less interoperable with older versions. Newer versions of GnuPG (in the 2.1 branch) won't give algorithm choice at all unless --full-gen-key is used but generate using the defaults. - -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUtA0/AAoJEPw7F94F4TagGMIP/31V+VrAvB3PtEYeS+jhNc+D 1a020/Zo8rnrHKElK4+WDg+M+Dvw6UoQEpTvAu/ViZkGoCkDCE2iSo1Pv35NkwhB 7wVzJJU4yoK/qdxwi9hjZSXTjuLjGRvxOvHLRJ0bChMDbgPs4O3pODlvTf4Uyqxx dUkfLblntJeFYEEMnx3ryFxpLpbKSc27cQLg+DlXvASMTMulbhb2wRi5HfCJ1zfj 14FzSQFPuolkgLbuRJGvntq8uDAD03nTTnuAX9QiTOaT8GxRxw6RLIWa35E1tctq jBPPfGn+SyrPEHx5Gqgzo7Q8PfFTk6X60Fkzau+1qPd6sE0G8EA54CG/sFydoZEr N8XKPYOM+lw51kVHNR6GSjgFitc53Adqx0yHzzm1l+hYVmk3ZKitjmyCf+pyTS+a wkFxcNd/N1pfhfBs3LVSqvKPjw1NUaengt5eeC2YGkhYXs1qT0e1aO9uUzBAhsCc aH+6oTIG8fm0RClFUuuNVOv4STDPOpNtiOvOboO9ICHE6nwYaGUblKxCSvQ8gz/Q wEpqZ0rXDz9dJKBGBXMNIb0jxLejWvoiUb6V6oWYS5xHMWdiM+JpVInmNs7OZ9ks Yn65z5Ffi54X2fc6qAFUaTpMZ7NVIq5f6D96Mx7SZD3VCOzIhgWh8fbEnWqqCkVE Qf0hbsyzeHZXyxQWQNwb =Odoa -----END PGP SIGNATURE-----
