[pkg-gnupg-maint] diverging from upstream defaults

Werner Koch wk at gnupg.org
Fri Sep 8 06:57:55 UTC 2017 

Hi!

On Fri,  8 Sep 2017 08:00, dkg at fifthhorseman.net said:

>>>>  * default s2k duration (calibrated by agent): 100ms → 300ms
>>>
>>>
>>> I didn't need to do this one, because upstream has already done it, yay!:
>>
>> Nope, we only swapped the AES variants:
>
> I'm not sure what you're responing to, Werner.  I *did* need to do all
> the steps above, including setting the default symmetric cipher to

What I read was : I [dkg] did not need to do this one [default s2k]
because upstream [wk] already did this.

That is definitely not the case.  Thus I took it as if upstream already
chnaged all the things you listed.  Out of this only the AES
*preferences* were changed by upstream.

> Feel free to review the other changes in that update-defaults directory
> if you want to give feedback.  I'm also happy to push them as a separate
> branch to git.gnupg.org if that would make them easier to review.  Or if

I think we already talked about AES128 vs AES256 in the past.  I do not
see a reason to chnage the _default_ cipher.  This would anyway be a
major change because it is only used with --symmetric and often
(backups) performance is here an issue.

SHA-256 vs: SHA-512: There has been a heated debate in the OpenPGP WG on
this and the current state is that we use SHA-256 for the fingerprint to
allow for a SHA-256 only implementation (even if that means ed25519
can't be used).  Thus I won't take this upstream.

If you like, RSA3072 better feel free to use it and also push it to master.

For Debian, I would suggest to think about moving to ECC and - even
better - require hardware tokens.

I am not sure about the 100ms vs. 300ms change for S2K.  300 ms is a
noticable delay but 100ms is acceptable in a a UI.  Again the
--symmetric encryption kicks in.  This is often used in automated
settings and that may decrease troughput by a factor of 3!



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170908/549e9413/attachment-0001.sig>

More information about the pkg-gnupg-maint mailing list