A few days ago I posted about making the GNU Privacy Handbook
available as a GitHub repository and converting it to org-mode.
(Repository URL: https://github.com/akuchling/gph/ )
Now that the conversion is close to complete, what updates/changes
does the Handbook need? I'd like to hear suggestions.
There are certainly obvious updates to recommended key sizes, and we
should check that the various command lines are still correct. But
are there larger revisions to make? e.g. New topics that should be
added or ones that should be dropped, new usage best practices or
tools to suggest?
It would be useful for the GPH to specify whether it is referring to GPG2 or a version of GPG in the 1.x line, and it might also be useful to include slight coverage of the differences between the two. In addition, the following topics and issues should be considered:
* Phasing out SHA1 and MD5 hashing and moving from DSA to RSA keys (see https://www.debian-administration.org/users/dkg/weblog/48 for info.)
* Using frontends such as GPGTools for the MacOSX platform and GPG4win for the Windows platform.
* The limitations of GPG with regard to protecting against attacks against an end user's system.
* Obtaining and installing GPG (including verification of downloaded copies, if necessary.)
Other possible topics are:
* Migrating from the PGP product to GPG.
* Comparing OpenPGP and S/MIME.
Attached to this message is a Signatures.gif image file which should have a better appearance than the existing signatures.jpg image file. (At the time when the GPH was originally written, JPEG may have been preferable because of GIF being subject to licensing issues with LZW compression and support for PNG images being less widespread than it is now.)
Adjusting the license for the GPH so that it can (at minimum) be distributed under the terms of CC BY-SA 3.0 would be useful.
FWIW, GnuPG used MD5 only for PGP2 compatibility. From rfc-4880:
Implementations MUST implement SHA-1. Implementations MAY implement
other algorithms. MD5 is deprecated.
SHA-1 is is an important part of OpenPGP and used in ways which are
resistant against collision attacks. Thus it is not easy to fade it
out. A paragraph explaining why certain algorithms re used by default
does make sense; though.
> * Using frontends such as GPGTools for the MacOSX platform and GPG4win for the Windows platform.
> * The limitations of GPG with regard to protecting against attacks against an end user's system.
Yes, that is important for real world security.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.