Mailing List Archive

FAQ October 2019 update
The last time I gave the FAQ a thorough read-and-review was in October
2017, so it was time for a review. I fought off the urge to rewrite the
thing entirely -- I really don't like how it flows, but I view my job as
maintainer is more about making minor incremental changes than total
rewrites whenever the whim seizes me.

Anyway, the major changes:

* Every reference to the SKS keyserver network now points to
keys.openpgp.org. Reason: the SKS attacks a few months ago.

* All references to 2048-bit crypto are updated to refer to 3072-bit
crypto. Reason: GnuPG now defaults to 3072-bit RSA.

* PGPNET's email address has changed.


... Those were the high-priority changes that needed to be made. If
anyone has other suggestions, speak up: I'm listening. :)

(Note: I just committed the FAQ changes. It may take a couple of days
for the documentation on the website to be regenerated.)


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ October 2019 update [ In reply to ]
On Tue, 15 Oct 2019 15:17, Robert J. Hansen said:

> * Every reference to the SKS keyserver network now points to
> keys.openpgp.org. Reason: the SKS attacks a few months ago.

I have to object against this change. The SKS server network is still
useful and definitely more useful than an non-matured and centralized
keyserver. I am okay with removing explicit reference to the SKS
network for now but suggesting the use of that specific keyserver is a no-go.

> * All references to 2048-bit crypto are updated to refer to 3072-bit
> crypto. Reason: GnuPG now defaults to 3072-bit RSA.

Okay. But this

+your certificate uses 2048-bit keys we recommend retiring them and
+migrating to a new keypair of at least 3072 bits length. You can do

is a no-go because we will have a hard to time to convice people that
this is just a geek suggestion and that for almost all general use of
gpg the existsing keys are still fine. Actually 2k keys are still
allowed in Germany for restricted communication and there is no need for
an immediate rush to 3k.

I also wonder why you removed this

-If you need more security than RSA-2048 offers, the way to go would be
-to switch to elliptical curve cryptography — not to continue using
-RSA.

GnuPG's future default is already ECC and some hosted mail services
are already creating such keys. GnuPG will switch to that with 2.3
which is not that far away.

> (Note: I just committed the FAQ changes. It may take a couple of days
> for the documentation on the website to be regenerated.)

That is a matter of minutes. I only had a brief look at it but I can't
see that your changes are subject to frequently asked questions here.
The GnuPG FAQ is for all GnuPG users and should not again start reflect
the view of some crypto geeks or give advises which will lead only to
trouble.

I am sorry for having to write these harsh comments: In contrast to
discussions on the mailing list the FAQ reflects the opinion of the
GnuPG project and as such substantial changes need to be discussed
first. I would suggest to create a branch and revert the changes
in master until an agreement has been reached.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: FAQ October 2019 update [ In reply to ]
Let's start with the most important thing:

> I am sorry for having to write these harsh comments

I didn't find your comments harsh, but thank you for being considerate. :)

>> * Every reference to the SKS keyserver network now points to
>> keys.openpgp.org. Reason: the SKS attacks a few months ago.
>
> I have to object against this change. The SKS server network is still
> useful and definitely more useful than an non-matured and centralized
> keyserver.

I can't agree with this. SKS is effectively dead. Older GnuPG
installations can still get utterly wedged if they pull down a poisoned
certificate from SKS. There are a *lot* of these older installations
out there in the wild, and what we suggest to them should not lead them
into wedging their system.

Should they update? Yes. Is the problem mitigated by an update? Yes.
But will they? Probably not before wedging their keyring. Given that
high-profile people in the community have had our certificates defaced,
it's possible someone will say "I want to ask dkg a question," pull down
his cert, get wedged, and... etc.

I think it's dangerous to our users to continue to recommend SKS in the
face of a well-known poisoning problem.

> suggesting the use of that specific keyserver is a no-go.

I'm fine with this. My major concern is removing SKS recommendations.

>> * All references to 2048-bit crypto are updated to refer to 3072-bit
>> crypto. Reason: GnuPG now defaults to 3072-bit RSA.
>
> Okay. But this
>
> +your certificate uses 2048-bit keys we recommend retiring them and
> +migrating to a new keypair of at least 3072 bits length. You can do
>
> is a no-go because we will have a hard to time to convice people that
> this is just a geek suggestion and that for almost all general use of
> gpg the existsing keys are still fine. Actually 2k keys are still
> allowed in Germany for restricted communication and there is no need for
> an immediate rush to 3k.

I agree there is no immediate rush: the US guidance says they're safe
until 2030. But for many years we advised people to use 2048-bit keys,
now we're generating 3072-bit keys by default. At the very least the
old guidance on 2048-bit keys needs to be dropped. Whether we explain
it away as "we're now using 3072-bit keys by default, in order to get a
long head start on 2048's obsolescence" or "we're going to be moving to
ECC in the near future" matters little to me, but we need to explain the
shift away from 2048.

> I also wonder why you removed this
>
> -If you need more security than RSA-2048 offers, the way to go would be
> -to switch to elliptical curve cryptography — not to continue using
> -RSA.

Because it raises an immediate question of, "then why does GnuPG default
to RSA-3072, if the FAQ's guidance is past -2048 to use ECC?" The FAQ's
statement collides with what GnuPG actually does.

> That is a matter of minutes. I only had a brief look at it but I can't
> see that your changes are subject to frequently asked questions here.

There were three major changes: keyservers, key lengths, and an email
address. All three existed in prior iterations of the FAQ. If you
think they should be dropped, I'm all for that conversation, but please
keep in mind that I'm not adding new subjects to the FAQ: in this pass I
was updating existing content.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ October 2019 update [ In reply to ]
On 15/10/2019 21:59, Robert J. Hansen wrote:
> Should they update? Yes. Is the problem mitigated by an update? Yes.
> But will they? Probably not before wedging their keyring. Given that
> high-profile people in the community have had our certificates defaced,
> it's possible someone will say "I want to ask dkg a question," pull down
> his cert, get wedged, and... etc.

I can confirm that this happens and users are being b0rked because
of trolls.

Street level rumour is that GnuPG key exchange is broken and you should
not use it.

It doesn't matter what the truth is - it is the public perception
that recent SKS events made it unusable, this was advertised
across the media all over the place and the image stuck.

Additionally, poor handling of SKS fiasco by GnuPG community
hurt it's credibility a lot, so a clear signal that this issue was
treated seriously would be beneficial.

Should it be advertised as a new go-to standard or as
transitional standard, beta/alpha/whatever - I don't know,
it's debatable.

Cheers,
Chris

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ October 2019 update [ In reply to ]
Hi,

On Tue, Oct 15, 2019 at 03:17:58PM -0400, Robert J. Hansen wrote:
>... Those were the high-priority changes that needed to be made. If
>anyone has other suggestions, speak up: I'm listening. :)

A while ago (I can’t find the e-mail anymore) I suggested a few changes
that somehow didn’t find their way to the FAQ and then I forgot about
them. Allow me to submit them again.

Those changes are all related to the fact that modern (? 2.1) GnuPG
automatically creates a revocation certificate whenever it creates a new
key pair, and stores it in $GNUPGHOME/openpgp-revocs.d.

In section 7,17 (What’s a ‘revocation certificate’?), it’s no longer
recommended to create a revocation certificate immediately after
generating a new GnuPG certificate. Instead, this section may state that
GnuPG already creates one when creating a GnuPG certificate, and that it
can be found in $GNUPGHOME/openpgp-revocs.d.

Similarly, section 8.5 (“What should I do after making my certificate”)
should no longer say to generate a revocation certificate, but again may
indicate where to find the one automatically generated by GnuPG, and
advise to store it in a safe place.

In the same section, the subsection “How do I generate a revocation
certificate” could be moved elsewhere, as it is no longer something you
“should do after making [your] certificate”.

In section 10 (“What are some common bast practices?”), the advice
“Generate a revocation certificate and keep it safe” should be removed
and optionally replaced by “Keep your (automatically generated)
revocation certificate safe”.

Cheers,

- Damien