[Bug 220492] security/gnupg defaults are mad

Wed Jul 5 17:10:13 UTC 2017

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220492

            Bug ID: 220492
           Summary: security/gnupg defaults are mad
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: adamw at FreeBSD.org
          Reporter: julien at tayon.net
          Assignee: adamw at FreeBSD.org
             Flags: maintainer-feedback?(adamw at FreeBSD.org)

I know the problem is not exactly RSA but a peculiar implementation

Still
http://thehackernews.com/2017/07/gnupg-libgcrypt-rsa-encryption.html

Default of PGP? RSA 1024.
Default of PGP for fingerprint SHA1

Changing it is a PITA

As an experience I tried to use SHA256/Curve259.

Try it yourself, and beat me if you find it intuitive after a 20minutes
googling the internet to go in full expert to choose a very strong algo in the
middle of NIST....

This software MIGHT be the best one in the world when it comes to cryptography,
when it comes to the User Interface even for beardy sysadmins that enjoy CLI is
a PAIN.

Leading us by default on the wrong choices.

I am really not an expert, but an exploit actually usable on RSA or SHA1 might
be discovered. And this day, should not we have a decent interface to change
our default in less than 1 hour (imagine the web is down)?

If our defaults are broken, isn't there a risk bigger that people exchange with
the illusion of safety data that are unsafe?

My proposition is to remove GpG to try to look cooler than openBSD.

It will probably surprise them, and we all hate using gpg anyway.

-- 
You are receiving this mail because:
You are the assignee for the bug.