Articles with tag “GnuPG”

RFC: Using video conferencing for GPG key signing events

A thought that I haven't had a chance to fully consider (so I'm asking the Internet to do that for me)...

I have a geographically-diverse team that uses GPG to provide integrity of their messages.  Usually, a team like this would all huddle together and do a formal key-signing event …

Continue reading…

Inadvertant data leakage from GnuPG

I was recently introduced to a privacy issue when refreshing your OpenPGP keys using GnuPG.  When refreshing your public key ring using a public key server GnuPG will generally use the OpenPGP HTTP Key Protocol (HKP) to synchronize keys.  The problem is that when you do refresh your keys using …

Continue reading…

Hashing Algorithm: Is your GPG configuration secure?

If your email messages are being signed using SHA-1 you may not be getting the security you think you are. Attacks on the hashing algorithm have caused much pain to those that use it.  Luckily SHA-2 is available and hopefully we'll start seeing SHA-3 out in the world soon.

You've …

Continue reading…

My web of trust

[caption id="attachment_905" align="alignleft" width="300"]Web of Trust built on 26 Jan 2013 Web of Trust - 26 Jan 2013[/caption]

I created my web of trust graphic (select the graphic to zoom in to see detail) this morning showing the additions from the key-signing event at FUDCon Lawrence.  I'm also working on building the Fedora web …

Continue reading…

Expiring OpenPGP keys...

A discussion was had on one of the Fedora IRC channels months ago about the "proper" way to handle expiring GPG keys without breaking the web of trust. It was my opinion that by generating new keys every so often (yearly?) that it would increase the security of the overall …

Continue reading…