[pkg-gnupg-maint] diverging from upstream defaults
Werner Koch
wk at gnupg.org
Fri Sep 8 16:24:53 UTC 2017
On Fri, 8 Sep 2017 17:49, dkg at fifthhorseman.net said:
> is who should have to make manual changes: people making backups who
> have performance concerns, or people making backups who have security
> concerns?
Having more backups may also be a security advantage ;-)
Okay. so use AES256, but lets do it this way:
--8<---------------cut here---------------start------------->8---
-#if GPG_USE_AES128
+#if GPG_USE_AES256
+# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256
+#elif GPG_USE_AES128
# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES
#elif GPG_USE_CAST5
--8<---------------cut here---------------end--------------->8---
so that a buo.d can disable the need for AES256.
> SHA-256 vs: SHA-512: There has been a heated debate in the OpenPGP WG on
[...]
> devices (IoT), who would be the most likely use case for curve 25519, so
> i have a hard time imagining who we're protecting with this, though.
Indeed that is a problem with ed25519 - but at least they can use cv25519.
To avoid source code chnages, would a configure option be useful to
switch the preferences?
> When you say "for debian" i think you mean "for debian developers" --
Sure.
> had a few conversations about what it'll take to do the move to ecc, and
> i don't think the infrastructure is fully ready yet.
I understand. So we this can be dicussed again after Buster.
> As for requiring hardware tokens, there are other folks working on that
> (anarcat has done a bunch of review/research recently) and i'm not yet
> convinced that i'm willing to inflict the extra pain (delay, risk of
> hardware loss, etc) as a mandatory for participation in debian.
It would be cool if Debian could suggest the use of a token. Because I
favor the Gnuk the ECC support would be important. But right, we also
need to get our job doe and make Gnuk easier avaialble.
>> I am not sure about the 100ms vs. 300ms change for S2K. 300 ms is a
> hm, this is true, but i suppose it depends on what else is going on --
Then this looks like a configure option thing. I mean at least a
configure build option but it is also possible to add an additional
gpg-agent.conf option, for example to reduce the built in default.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170908/e69b8f34/attachment.sig>
More information about the pkg-gnupg-maint
mailing list