On Tue, Apr 05, 2011 at 05:15:15PM +0200, Vincent Caron wrote: > 2/ It is suggested to update gnupg.conf with: > > personal-digest-preferences SHA256 > cert-digest-algo SHA256 > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 > ZLIB BZIP2 ZIP Uncompressed > > Is it still needed with GnuPG 1.4.11 ?
This isn't strictly needed with any version of GnuPG. However, these settings choose algorithms which are known to be stronger (avoiding MD5 and the mandatory but somewhat weakened SHA1). Setting default-preference-list specifies which algorithms you prefer in your key's self-signature (which you can always change later). Implementations are forbidden from using algorithms (other than the default must-implement ones) that you do not specify in your self-signature. Using cert-digest-algo chooses the algorithm you will use in signing keys. And finally, personal-digest-preferences is the algorithm you will use when signing data. If you know what you're doing, you can choose the algorithms you prefer here instead of these. If you don't, these are fine choices. > 3/ The -gen-key menu has changed from the tutorial, it is now: > > Please select what kind of key you want: > (1) RSA and RSA (default) > (2) DSA and Elgamal > (3) DSA (sign only) > (4) RSA (sign only) > > Again Ana's blog has been updated and it looks legal (and a good idea) > to select the (1) option which also generates an ecnryption key in one > go. Is that correct ? Yes. It creates an RSA main key (used for signing other keys and possibly data) and an RSA encryption-only subkey. Some people use a subkey for signing as well, but that can be generated later. I recommend using the largest size possible, which IIRC is 4096 bits. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
