public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] RFC: Gentoo GPG key policies
@ 2013-02-18 23:27 Robin H. Johnson
  2013-02-18 23:41 ` Robin H. Johnson
                   ` (6 more replies)
  0 siblings, 7 replies; 44+ messages in thread
From: Robin H. Johnson @ 2013-02-18 23:27 UTC (permalink / raw
  To: gentoo-dev

Hi all,

I've been asked a couple of times in IRC and other mediums, about what
GPG key settings etc to use. I would not not call these final yet, but should
be fairly close to final.

This was originally intended to be part of the tree-signing GLEP series, but
was in one of the unpublished ones (GLEPxx+3 in the references). I guess if
there are no major objections to the below, I'll finalize them into the GLEP.
This will replace the conflicting information in:
http://devmanual.gentoo.org/general-concepts/manifest/index.html
http://www.gentoo.org/doc/en/gnupg-user.xml

The following is based on: 
- NIST SP 800-57 recommendations
- Debian GPG documentation
- RiseUp.net OpenPGP best practices.

Bare minimum requirements:
--------------------------
1. SHA2-series output digest (SHA1 digests internally permitted).
   "personal-digest-preferences SHA256"
2. root key & signing subkey of EITHER:
2.1. DSA, 1024 or 2048 bits
2.2. RSA, >=2048 bits
3. Key expiry: 5 years.

Recommendations:
----------------
1. SHA2-series digest on output & certifications:
   "personal-digest-preferences SHA256"
   "cert-digest-algo SHA256"
2. Root key type of RSA, 4096 bits
2.1. This may require creating an entirely new key.
3. Dedicated Gentoo signing subkey of EITHER:
3.1. DSA 2048 bits
3.2. RSA 4096 bits
4. Key expiry:
4.1. Root key: 3 year max.
4.2. Gentoo subkey: 1 year max.
5. Create a revocation certificate & store it hardcopy offsite securely
   (it's about ~300 bytes).
6. Encrypted backup of your secret keys.
7. In your gpg.conf:
   # include an unambiguous indicator of which key made a signature:
   # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
   sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g

Notes/FAQ:
----------
1. "Ok, so how do I follow this?"
   http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
   http://keyring.debian.org/creating-key.html
2. "How can I be really sure/paranoid enough?"
   https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
3. Every 3-6 months, and/or before key expiry and major keysigning
   events, you should update your key expiry date with the 'expire'
   command (remember to do all subkeys). Put it on your calendar!
4. If you intend to sign on a slow alternative-arch, you may find adding
   a DSA1024 subkey significantly speeds up the signing.
5. Can you give me a full ~/.gnupg/gpg.conf file?
===
# -- robbat2's recommendations:
keyserver pool.sks-keyservers.net
emit-version
default-recipient-self
# -- All of the below portion from the RiseUp.net OpenPGP best practices, and
# -- many of them are also in the Debian GPG documentation.
# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode
# long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid)
keyid-format 0xlong
# when multiple digests are supported by all recipients, choose the strongest one:
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# preferences chosen for new keys should prioritize stronger algorithms: 
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
# If you use a graphical environment (and even if you don't) you should be using an agent:
# (similar arguments as  https://www.debian-administration.org/users/dkg/weblog/64)
use-agent
# You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
verify-options show-uid-validity
list-options show-uid-validity
# include an unambiguous indicator of which key made a signature:
# (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
# when making an OpenPGP certification, use a stronger digest than the default SHA1:
cert-digest-algo SHA256
===

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85


^ permalink raw reply	[flat|nested] 44+ messages in thread

end of thread, other threads:[~2013-03-22 14:19 UTC | newest]

Thread overview: 44+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-18 23:27 [gentoo-dev] RFC: Gentoo GPG key policies Robin H. Johnson
2013-02-18 23:41 ` Robin H. Johnson
2013-02-19  3:36   ` Kent Fredric
2013-02-19  4:09     ` Robin H. Johnson
2013-02-19  4:46       ` Brian Dolbec
2013-02-19  7:38       ` Kent Fredric
2013-02-19 15:52         ` Alec Warner
2013-02-19  4:25     ` [gentoo-dev] " Ryan Hill
2013-02-19  6:51 ` [gentoo-dev] " Eray Aslan
2013-02-20  0:34 ` Stefan Behte
2013-02-20  3:12   ` Robin H. Johnson
2013-02-20  6:32     ` Alec Warner
2013-02-20 17:05       ` Robin H. Johnson
2013-02-20 18:41 ` James Cloos
2013-02-20 19:36   ` Robin H. Johnson
2013-02-20 20:22     ` Andreas K. Huettel
2013-02-20 21:31       ` Robin H. Johnson
2013-02-20 20:38 ` Luis Ressel
2013-02-20 21:37   ` Robin H. Johnson
2013-02-20 21:55     ` Luis Ressel
2013-02-21  9:09 ` Michał Górny
2013-02-21  9:41   ` Markos Chandras
2013-02-26 10:10 ` grozin
2013-02-27 15:12   ` Luis Ressel
2013-02-27 19:04     ` Robin H. Johnson
2013-02-27 20:27       ` Alec Warner
2013-03-14  3:50       ` grozin
2013-03-14  7:19         ` justin
2013-03-14  9:12         ` Robin H. Johnson
2013-03-14 15:26           ` Zac Medico
2013-03-14 16:14             ` Michał Górny
2013-03-14 16:30               ` Zac Medico
2013-03-15  0:58                 ` Robin H. Johnson
2013-03-15  1:01               ` Robin H. Johnson
2013-03-15  2:32                 ` Michael Mol
2013-03-15  3:18                   ` Robin H. Johnson
2013-03-15  3:33                     ` Michael Mol
2013-03-15  5:12                       ` Robin H. Johnson
2013-03-15  4:44                     ` Michał Górny
2013-03-15  5:01                       ` Robin H. Johnson
2013-03-22  6:37           ` grozin
2013-03-22  8:36             ` Panagiotis Christopoulos
2013-03-22  8:47               ` grozin
2013-03-22 14:19                 ` David Abbott

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox