[tor-commits] [torbirdy/master] added gpg.conf optimized for privacy
sukhbir at torproject.org
sukhbir at torproject.org
Sun Aug 18 23:05:14 UTC 2013
commit 7247c238109e7b3cc0cde4252fd98b327bf93cd5
Author: adrelanos <adrelanos at riseup dot net>
Date: Thu Aug 15 22:41:45 2013 +0000
added gpg.conf optimized for privacy
---
gpg.conf | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 77 insertions(+)
diff --git a/gpg.conf b/gpg.conf
new file mode 100644
index 0000000..c9534db
--- /dev/null
+++ b/gpg.conf
@@ -0,0 +1,77 @@
+## gpg.conf optimized for privacy
+
+##################################################################
+## BEGIN some suggestions from TorBirdy setting extensions.enigmail.agentAdditionalParam
+
+## Don't disclose the version
+no-emit-version
+
+## Don't add additional comments (may leak language, etc)
+no-comments
+
+## Don't include keyids that may disclose the sender or any other non-obvious keyids
+throw-keyids
+
+## We want to force UTF-8 everywhere
+display-charset utf-8
+
+## Proxy settings
+keyserver-options http-proxy=socks5://TORIP:TORPORT
+
+keyserver hkp://2eghzlv2wwcq7u7y.onion
+
+## END some suggestions from TorBirdy TorBirdy setting extensions.enigmail.agentAdditionalParam
+##################################################################
+
+##################################################################
+## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html
+
+personal-digest-preferences SHA512
+cert-digest-algo SHA512
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+
+## END Some suggestions from Debian http://keyring.debian.org/creating-key.html
+##################################################################
+
+##################################################################
+## BEGIN Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
+
+## When creating a key, individuals may designate a specific keyserver to use to pull their keys from.
+## The above option will disregard this designation and use the pool, which is useful because (1) it
+## prevents someone from designating an insecure method for pulling their key and (2) if the server
+## designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will
+## never be refreshed.
+keyserver-options no-honor-keyserver-url
+
+## when outputting certificates, view user IDs distinctly from keys:
+fixed-list-mode
+
+## long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid)
+keyid-format 0xlong
+
+## when multiple digests are supported by all recipients, choose the strongest one:
+## already defined above
+#personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+
+## preferences chosen for new keys should prioritize stronger algorithms:
+## already defined above
+#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+
+## If you use a graphical environment (and even if you don't) you should be using an agent:
+## (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)
+use-agent
+
+## You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
+verify-options show-uid-validity
+list-options show-uid-validity
+
+## include an unambiguous indicator of which key made a signature:
+## (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
+sig-notation issuer-fpr at notations.openpgp.fifthhorseman.net=%g
+
+## when making an OpenPGP certification, use a stronger digest than the default SHA1:
+## already defined above
+#cert-digest-algo SHA256
+
+## END Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
+##################################################################
More information about the tor-commits
mailing list