Update outdated default preferences
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	coruus
	Aug 5 2014, 11:10 PM

Description

I hope this patch is acceptable in something like its present form. If
so, I'll write up the documentation updates as well. (But I suspect it
may spark some discussion.)

It updates some rather outdated defaults hard-wired into GnuPG:

Default cipher algorithm: CAST5 -> AES256
Default digest algorithm: SHA1 -> SHA512
Default S2K hash algorithm: SHA1 -> SHA256
Default S2K iterations: 255 (this takes about 400ms in E2E, not

sure about GnuPG timing)

Modification detection codes always used.
Slightly increased default RSA key-size to better match RSA

key-size recommendations.

Display long key IDs by default. (Would a default of showing

fingerprints be acceptable to folks?)

(Try to) never fall back to MD5, SHA1, or RIPEMD160 unless the user

explicitly requests the use of one of these algorithms.

Event Timeline

444_update-preferences.patch8 KBDownload

This has been discussed at gnupg-users at lengths. You need to read the OpenPGP
standard to understand some of the defaults. For the others you may start yet
another disucssion thread at gnupg-users.

re 4) The iteration count used depends on the machine.

• werner added a project: Won't Fix.Aug 6 2014, 10:39 AM

Thank you for the prompt response.

I am familiar with the standard. The only violation of a MUST I'm aware of is that
recipient and personal digest preferences are ignored for hashes with known attacks;
perhaps some of these changes cause GnuPG to behave badly in other cases?

coruus reopened this task as Open.Aug 6 2014, 2:28 PM

There are no known attacks on SHA-1. MD5 is disabled anyway in recent versions.
But please continue at gnupg-users - if you like.

Update outdated default preferencesClosed, ResolvedPublicActions

Description

Event Timeline

Update outdated default preferences
Closed, ResolvedPublic
Actions