I just commented on things that I think you may change. I am no
GPG-Master though. Note that there are people on this list with far more
expertise than I have.
Am 05.06.2014 09:26, schrieb Cpp:
- Create a 4096-bit RSA certification key with unlimited expiry
Set an expiration date. You can extend it any time, even after it has
expired. In a worst case situation (keys and backups are lost) the key
will not be valid for eternity.
- Generate a revocation key, put it on the encrypted USB stick
Store the revocation certificate separately. Again, in a worst case (Key
lost, backup lost) you can still revoke using the certificate. Some
people print it out and store it at at their bank/safe place.
And my gpg.conf (on the PC where the key is generated as well as on
the laptop) looks like this:
--------------------------------------------------
# Keyserver settings
keyserver hkps://hkps.pool.sks-keyservers.net
Dont know which OS you are using but this won't work if you're using
Gpg4win on windows. It cant handle the hkps protocol.
cert-digest-algo SHA512
This will you incompatibility with many (I think all) versions of PGP.
Maybe its not relevant to you if you mainly communicate with people
using GPG.
A) Is my key generation procedure okay? Am I missing any critical
steps? I mostly followed one of the articles I linked above. Are these
keys (with additional signing subkey) compatible with other OpenPGP
software?
see above
C) What is the purpose of this line "sig-notation
issuer-...@notations.openpgp.fifthhorseman.net=%g" in the config file?
I can't seem to understand it. Why was it proposed? Is it compatible?
I'm not sure about this option and I don't really know what it means.
Just leave it out.
E) I noticed this: cert-digest-algo SHA512
The GnuPG 2 manual (pg. 51) warns that if this is set to a value that
other OpenPGP implementations don't support, some users will be unable
to use my key signatures. Personally I don't mind using strong hashes,
but is this going to be a problem? I have no idea what other OpenPGP
implementations support. GnuPG is the only one I know about.
There are commercial implementations. The most known is probably PGP
(The Original Software created by Phil Zimerman). Check it at Wikipedia.
F) I like twofish. Should I add it to the list of my personal preferences?
Why not? If your GPG version supports it. Check with "gpg --version"
G) I have read some complaints from users about keys that use long
signature hashes like sha512. In particular this makes emails
difficult to read because some discussions can get crowded with long
signatures, which is rather irritating to read and navigate. Is it
possible to use sha256 for email signatures, and sha512 for everything
else i.e. signing files. I use Thunderbird with Enigmail on Linux.
Don't know, just use PGP/MIME instead of PGP/Inline. This will keep the
hash separated from the text.
H) Is it okay to generate PGP keys on a live linux CD? I mean is there
sufficient entropy present? What can I do to introduce some more noise
into the system? Some tutorials suggest moving the mouse, others tell
me to use IO-heavy tasks i.e. the "find" command. Comments?
I would say it's best practice to use linux live cd and stay offline!
Move the mouse, open a texfile and beat your keyboard :) GPG will tell
you if there is not enough entropy.
Daniel
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
