From owner-freebsd-ports-bugs@freebsd.org Wed Jul 5 17:10:13 2017 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E61CD8B17A for ; Wed, 5 Jul 2017 17:10:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0C5846411E for ; Wed, 5 Jul 2017 17:10:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v65HACeV071346 for ; Wed, 5 Jul 2017 17:10:12 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 220492] security/gnupg defaults are mad Date: Wed, 05 Jul 2017 17:10:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: julien@tayon.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: adamw@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2017 17:10:13 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220492 Bug ID: 220492 Summary: security/gnupg defaults are mad Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: adamw@FreeBSD.org Reporter: julien@tayon.net Assignee: adamw@FreeBSD.org Flags: maintainer-feedback?(adamw@FreeBSD.org) I know the problem is not exactly RSA but a peculiar implementation Still http://thehackernews.com/2017/07/gnupg-libgcrypt-rsa-encryption.html Default of PGP? RSA 1024. Default of PGP for fingerprint SHA1 Changing it is a PITA As an experience I tried to use SHA256/Curve259. Try it yourself, and beat me if you find it intuitive after a 20minutes googling the internet to go in full expert to choose a very strong algo in = the middle of NIST.... This software MIGHT be the best one in the world when it comes to cryptogra= phy, when it comes to the User Interface even for beardy sysadmins that enjoy CL= I is a PAIN. Leading us by default on the wrong choices. I am really not an expert, but an exploit actually usable on RSA or SHA1 mi= ght be discovered. And this day, should not we have a decent interface to change our default in less than 1 hour (imagine the web is down)? If our defaults are broken, isn't there a risk bigger that people exchange = with the illusion of safety data that are unsafe? My proposition is to remove GpG to try to look cooler than openBSD. It will probably surprise them, and we all hate using gpg anyway. --=20 You are receiving this mail because: You are the assignee for the bug.=