[pkg-gnupg-maint] diverging from upstream defaults

Werner Koch wk at gnupg.org
Fri Sep 8 16:24:53 UTC 2017 

On Fri,  8 Sep 2017 17:49, dkg at fifthhorseman.net said:

> is who should have to make manual changes: people making backups who
> have performance concerns, or people making backups who have security
> concerns?

Having more backups may also be a security advantage ;-)

Okay. so use AES256, but lets do it this way:

--8<---------------cut here---------------start------------->8---
-#if GPG_USE_AES128
+#if GPG_USE_AES256
+# define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_AES256
+#elif GPG_USE_AES128
 # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_AES
 #elif GPG_USE_CAST5
--8<---------------cut here---------------end--------------->8---

so that a buo.d can disable the need for AES256.

> SHA-256 vs: SHA-512: There has been a heated debate in the OpenPGP WG on
[...]
> devices (IoT), who would be the most likely use case for curve 25519, so
> i have a hard time imagining who we're protecting with this, though.

Indeed that is a problem with ed25519 - but at least they can use cv25519.

To avoid source code chnages, would a configure option be useful to
switch the preferences?

> When you say "for debian" i think you mean "for debian developers" --

Sure.

> had a few conversations about what it'll take to do the move to ecc, and
> i don't think the infrastructure is fully ready yet.

I understand.  So we this can be dicussed again after Buster.

> As for requiring hardware tokens, there are other folks working on that
> (anarcat has done a bunch of review/research recently) and i'm not yet
> convinced that i'm willing to inflict the extra pain (delay, risk of
> hardware loss, etc) as a mandatory for participation in debian.

It would be cool if Debian could suggest the use of a token.  Because I
favor the Gnuk the ECC support would be important.  But right, we also
need to get our job doe and make Gnuk easier avaialble.

>> I am not sure about the 100ms vs. 300ms change for S2K.  300 ms is a

> hm, this is true, but i suppose it depends on what else is going on --

Then this looks like a configure option thing.  I mean at least a
configure build option but it is also possible to add an additional
gpg-agent.conf option, for example to reduce the built in default.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170908/e69b8f34/attachment.sig>

More information about the pkg-gnupg-maint mailing list