diff --git a/doc/ChangeLog b/doc/ChangeLog index 4798b0ff2..07cbc4fec 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,9 @@ +2004-12-09 David Shaw + + * highlights-1.4.txt: New. + + * mksamplekeys, samplekeys.asc: Add the PGP global directory key. + 2004-11-26 David Shaw * gpg.sgml: Document export-minimal. diff --git a/doc/highlights-1.4.txt b/doc/highlights-1.4.txt new file mode 100644 index 000000000..615f6f0ac --- /dev/null +++ b/doc/highlights-1.4.txt @@ -0,0 +1,202 @@ +GnuPG 1.4 Highlights +==================== + +This is a brief overview of the changes between the GnuPG 1.2 series +and the new GnuPG 1.4 series. To read the full list of highlights for +each revision that led up to 1.4, see the NEWS file in the GnuPG +distribution. This document is based on the NEWS file, and is thus +the highlights of the highlights. + +When upgrading, note that RFC-2440, the OpenPGP standard, is currently +being revised. Most of the revisions in the latest draft (2440bis-12) +have already been incorporated into GnuPG 1.4. + + +Algorithm Changes +----------------- + +OpenPGP supports many different algorithms for encryption, hashing, +and compression, and taking into account the OpenPGP revisions, GnuPG +1.4 supports a slightly different algorithm set than 1.2 did. + +The SHA256, SHA384, and SHA512 hashes are now supported for read and +write. + +The BZIP2 compression algorithm is now supported for read and write. + +Due to the recent successful attack on the MD5 hash algorithm +(discussed in , +among other places), MD5 is deprecated for OpenPGP use. It is still +allowed in GnuPG 1.4 for backwards compatibility, but a warning is +given when it is used. + +The TIGER/192 hash is no longer available. This should not be +interpreted as a statement as to the quality of TIGER/192 - rather, +the revised OpenPGP standard removes support for several unused or +mostly unused hashes, and TIGER/192 was one of them. + +Similarly, Elgamal signatures and the Elgamal signing key type have +been removed from the OpenPGP standard, and thus from GnuPG. Please +do not confuse Elgamal signatures with DSA or DSS signatures or with +Elgamal encryption. Elgamal signatures were very rarely used and were +not supported in any product other than GnuPG. Elgamal encryption was +and still is part of OpenPGP and GnuPG. + +Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary +to OpenPGP) Elgamal key type. While no recent version of GnuPG +permitted the generation of such keys, GnuPG 1.2 could still use them. +GnuPG 1.4 no longer allows the use of these keys or the (also +nonstandard) messages generated using them. + +At build time, it is possible to select which algorithms will be built +into GnuPG. This can be used to build a smaller program binary for +embedded uses where space is tight. + + +Keyserver Changes +----------------- + +GnuPG 1.4 does all keyserver operations via plugin or helper +applications. This allows the main GnuPG program to be smaller and +simpler. People who package GnuPG for various reasons have the +flexibility to include or leave out support for any keyserver type as +desired. + +Support for fetching keys via HTTP and finger has been added. This is +mainly useful for setting a preferred keyserver URL like +"http://www.jabberwocky.com/key.asc". or "finger:wk@g10code.com". + +The LDAP keyserver helper now supports storing, retrieving, and +searching for keys in both the old NAI "LDAP keyserver" as well as the +more recent method to store OpenPGP keys in standard LDAP servers. +This is compatible with the storage schema that PGP uses, so both +products can interoperate with the same LDAP server. + +The LDAP keyserver helper is compatible with the PGP company's new +"Global Directory" service. + +If the LDAP library you use supports LDAP-over-TLS and LDAPS, then +GnuPG detects this and supports them as well. Note that using TLS or +LDAPS does not improve the security of GnuPG itself, but may be useful +in certain key distribution scenarios. + +HTTP Basic authentication is now supported for all HKP and HTTP +keyserver functions, either through a proxy or via direct access. + +The HKP keyserver plugin supports the new machine-readable key +listing format for those keyservers that provide it. + +IPv6 is supported for HKP and HTTP keyserver access. + +When using a HKP keyserver with multiple DNS records (such as +subkeys.pgp.net which has the addresses of multiple servers around the +world), all DNS address records are tried until one succeeds. This +prevents a single down server in the rotation from stopping access. + +DNS SRV records are used in HKP keyserver lookups to allow +administrators to load balance and select keyserver ports +automatically. + +Timeout support has been added to the keyserver plugins. This allows +users to set an upper limit on how long to wait for the keyserver +before giving up. + + +Preferred Keyserver URL +----------------------- + +Preferred keyserver support has been added. Users may set a preferred +keyserver via the --edit-key command "keyserver". If the +--keyserver-option honor-keyserver-url is set (and it is by default), +then the preferred keyserver is used when refreshing that key with +--refresh-keys. + +The --sig-keyserver-url option can be used to inform signature +recipients where the signing key can be downloaded. When verifying +the signature, if the signing key is not present, and the keyserver +options honor-keyserver-url and auto-key-retrieve are set, this URL +will be used to retrieve the key. + + +Trust Signatures +---------------- + +GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to +specify the trust level and distance from the user along with the +signature so users can delegate different levels of certification +ability to other users, possibly restricted by a regular expression on +the user ID. + + +Trust Models +------------ + +GnuPG 1.4 supports several ways of looking at trust: + +Classic - The classic PGP trust model, where people sign each others + keys and thus build up an assurance (called "validity") that + the key belongs to the right person. This was the default + trust model in GnuPG 1.2. + +Always - Bypass all trust checks, and make all keys fully valid. + +Direct - Users may set key validity directly. + +PGP - The PGP 7 and 8 behavior which combines Classic trust with trust + signatures overlaid on top. This is the default trust model in + GnuPG 1.4. + + +The OpenPGP Smartcard +--------------------- + +GnuPG 1.4 supports the OpenPGP smartcard +() + +Secret keys may be kept fully or partially on the smartcard. The +smartcard may be used for primary keys or subkeys. + + +Other Interesting New Features +------------------------------ + +For those using Security-Enhanced Linux , +the configure option --enable-selinux-support prevents GnuPG from +processing its own files (i.e. reading the secret keyring for +something other than getting a secret key from it). This simplifies +writing ACLs for the SELinux kernel. + +Readline support is now available at all prompts if the system +provides a readline library. + +GnuPG can now create messages that can be decrypted with either a +passphrase or a secret key. These messages may be generated with +--symmetric --encrypt or --symmetric --sign --encrypt. + +--list-options and --verify-options allow the user to customize +exactly what key listings or signature verifications look like, +enabling or disabling things such as photo display, preferred +keyserver URL, calculated validity for each user ID, etc. + +The --primary-keyring option designates the keyring that the user +wants new keys imported into. + +The --hidden-recipient (or -R) command encrypts to a user, but hides +the identity of that user. This is the same functionality as +--throw-keyid, but can be used on a per-user basis. + +Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used +interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1") +anywhere algorithm names are used in GnuPG. + +The --keyid-format option selects short (99242560), long +(DB698D7199242560), 0xshort (0x99242560), or 0xlong +(0xDB698D7199242560) key ID displays. This lets users tune the +display to what they prefer. + +While it is not recommended for extended periods, it is possible to +run both GnuPG 1.2.x and GnuPG 1.4 during the transition. To aid in +this, GnuPG 1.4 tries to load a config file suffixed with its version +before it loads the default config file. For example, 1.4 will try +for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular +gpg.conf file. diff --git a/doc/mksamplekeys b/doc/mksamplekeys index b60242bad..10ba1a462 100755 --- a/doc/mksamplekeys +++ b/doc/mksamplekeys @@ -1,7 +1,7 @@ #/bin/sh # Generate a samplekeys.asc -keys="5B0358A2 57548DCD 621CC013 99242560 B2D7795E" +keys="5B0358A2 57548DCD 621CC013 99242560 CA57AD7C B2D7795E" for i in $keys; do gpg --list-keys $i | awk ' { print " " $0 }' diff --git a/doc/samplekeys.asc b/doc/samplekeys.asc index b79396cb6..35618a6ee 100644 --- a/doc/samplekeys.asc +++ b/doc/samplekeys.asc @@ -15,6 +15,10 @@ sub 2048g/1643B926 2002-01-28 [expires: 2012-01-26] sub 1024D/49E1CBC9 2002-01-28 [expires: 2012-01-26] + pub 2048R/CA57AD7C 2004-12-06 + uid PGP Global Directory Verification Key + uid [jpeg image of size 3400] + pub 1024D/B2D7795E 2001-01-04 uid Philip R. Zimmermann uid Philip R. Zimmermann @@ -24,7 +28,7 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.3.91-cvs (GNU/Linux) +Version: GnuPG v1.3.93-cvs (GNU/Linux) mQILBDxUyXkBEACgg6vxNPigg9FQz14CkPtR/dEq3sCjK1r4+2oyeoRno+pqZ6Z7 ZfphgA/q5woweFAGOg17KD2WXegoQ5pXbFvP+w9j9zm3g59XzTRSzZgScelTibPn @@ -1172,6 +1176,101 @@ T9LOwRYy5ufSY4X+HY7iVopCWsFhE5cqQMvOjmEUbsAmyMjWrgXkysvmr2bxdqC7 G7XEzuoUCt3Ouz2paCfZVR/P5h+y7qpDCwx+boJKc5nnf/EqK36lZGpJ3um+Jkck hQgV2lWaCpgx83B9qEkjITPXscoenc4tWxruiFQEGBECAAwFAjpU6CcFGwwAAAAA EgkQx0Y2ObLXeV4HZUdQRwABAeVtAKD4358jdvOoX358HnQnmwUdUczuFgCfT70B -8OXmdyevgPtF4wOVighnBFE= -=Pc1y +8OXmdyevgPtF4wOVighnBFGZAQ0EQbPS8gEIAMtvZJvlBs6FEjN86De70XffyArV +dlYkbwnBc/wNIZtASh/T5ihP/tsD7eHWWOHcsbSbwlQR2iWvEvP/wyC67ZMDZRCI +zBFpEKFJW8GCQJFiSv3v6QKU2CaL48u5Q3XPi2ymp0TvrWdFW9SXbHhe8tMnbWFT +l5cYawL6oU/gR97wHmQf4V7EB+cU8/Oi7caNsNti/gJiLSnKFPGZq7HInJCtD8xB +S3REVGQvyoLNYJHYGYfeMzczRa3SgqfwLz59Yi1SHlT1/O/8r0Z479JXz7N0vgyt +2oOy2Cpc2zbsf5Z4iBteVQYizSY40TpO0pnk9cbnMUzVvPW8N0Bhtjh5RYMAEQEA +AbQlUEdQIEdsb2JhbCBEaXJlY3RvcnkgVmVyaWZpY2F0aW9uIEtleYkBWwQQAQIA +RQUCQbPTrAcLCQgHAwIKAhkBHhhsZGFwOi8va2V5c2VydmVyLWJldGEucGdwLmNv +bQUbAwAAAAMWAgEFHgEAAAAEFQgCCgAKCRCXELibyletfJusB/41PL2YVOzdS4gT +SGAln8vWUn4I/+E5W1X4sPf2N3cH4PbZxN4+hZe2Vm+Ki0ZWRGsNUtYuOhfuQFhJ +STRCGKOL6DdEHe0ASs4uxHW4E6/IwZ/K81E315zFb682ywBRpesckmytQAmp3qJT +ZSrDeUQ+ZqoFLGY/jcsRc+ty9wfAphAwsDYtehSydnvTXhdb8U1voeCC41Vihvvz +i3Kl0GNy56m/WZ+Jf5pqTJCHFdjI5iCsDLVAGQhmw6EYsV7WywpqJ/uAQf/w/obW +IQXoKfNTkBLR1otiR9Ib01KkbW4lm9Rcs8WEsJ5C31TKEWdczsWWvyJyjFbXoTfr +Ti5szzutiEYEEBECAAYFAkGz1AkACgkQrLsWS89z7EzyCQCeLzc6VP+oiydjWeaV +Cgf4KvA6ZPwAoMPfa8/L7HbrycH2VafAYXz+SUERiEYEEBECAAYFAkG1Y/QACgkQ +00vJw2APoAGu7ACfeuRYvpX6m1+prhxlL4yzHvjeHukAn3AUME5pxT4tkhx3miT4 +AagryB7Y0cye/wAADVkBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYAAQEAAAEA +AQAA/9sAQwAKBwcIBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYp +NCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47/9sAQwEKCwsODQ4cEBAcOygiKDs7Ozs7 +Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7/8AA +EQgAkAB4AwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkK +C//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNC +scEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpj +ZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4 +ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMB +AQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwAB +AgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJico +KSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJ +ipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj +5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A9moqtf30Gm2cl3cvtijGSa4a +++LNlGStlZvKR0ZuBWkKU6nwomU4x3PQqK8guPinrEzYhhihX86ns/Ffia/XzElJ +UHOV4/rW/wBUqJXlZEe2i9j1iivMP+Ex1q3+/KCw6gip4PiXdREC5tUkHcrwaTwl +VbK4e1iekUVzmheNdO1ycWyK8U5Gdrf410QOa55RcXaSNE09ULRRRUjCiiigAooo +oAKKKKAOY+IblfCN1g9cA/rXh1fQPiXT4dU0o2dwXEcrclCARgE8ZB9K4J/AGkKe +Jr38ZU/+Ir0MLiIUoNSOerTlJ3R54v3hXpfg3UdNGmrHPMsToOc9+KrQeBdAd2SS +7vkYdPnX/wCIqy3gfRoThb+9GP8AaQ/+yVdavRqxs2yYU5wdzH164t57+V7XHlZO +COh5rn5n5NdrJ4U0xBt/tC8x16p/8RTP+EK0uRQ32q9IPfzE/wDiKuGKpRSSYnSm +3c5/wjP5XiKFywUDqScelevR6/pCR4k1S0DDqPOXI/WvPLjwdplpbtPG9zI6so2y +spU5YDoFHrW7pOmRWpEiqVyuPlHH41xYmpGpPmibU4uKszqY9f0aZtseq2bN6eeu +f51fVldQyMGU9CDkGueMCOpxtYe3NYWoabJJOZrWV7V1yFe1cxnH1HX8a57Glz0C +iuFg8U6rpjql2PtkXTMgCv8Agw4/MfjXU6VrthrCH7NKRIoy8LjDr+Hp7jIosFzR +ooopDCiiigClqXKRD1c/+gtWPLFitnUfuRH/AG//AGUiqDKGFAzAmFzG7rGhAJJy +B604XtzGGjeAuD3GR2x260t1fTJf3EChAsLKo+XOcorZP/fVQm8lPXZ/3yKLCJDP +IBsjUjIHUewFWoYWS2jDDBArPN1IQR8o/wCAirdvcERwu33ZYkdgOgLKCcfnRYBL +0f8AEvmz6x/+jUqxbzyCLCKoC92NRaiMWLkHhmj/AB+dTWlarutdoIXI64oQETXJ +25MbA9DsolCEY4zjpVswL5QXgMB1xWZMRDIywoJn6HnAWmIzb+GZyyIisD0Vl4Nc +5I0ulXSO8zQtnMTrkGM/71dVNpufnMkm7Odwfmqd5CGi8tuQB0b5v51SEzf8M+Kl +1QixvdqXoHysOFmA7j0PqPxHoOlrxm5DROrRkxvGQVZOCpHQivSPCfiEa9px80gX +lvhZ1Hf0Yex/mDRKNtQTN6iiioKKmoD9zGfSVf1OP61QrUuovOgZM4PBB9CDkH86 +5PxJrVx4d057yS0inAcIqq5TJJ+hoAqXg/4m9/8A9dU/9FR1CRUGlan/AG7Fcal9 +n+z+dNjy9+/btRV64GemelWiKoRHVuIf6Ha/9e0X/oC1VIrIt/FtxNGsFtoxk+zo +ITI1zhWKjbn7vt0zSYzfvJSLAIennIB+p/pWtZy4hXmuQa71fUzGhtre1jR920MX +LHGMk+2T6da1oZb22ULM6FDwGCkHNFhGzNqCbjAmXkPGF7VJFAkEQHBNQWkMUcQI +wc859fepJJeOtNIVyK4bg1jXjda0LiTg1k3b9atEsxr3qai0LWDoOvQXpYiEny5x +6oep/Dg/hT7s9ayLoZVs1VriPeQcjIorC8F37ah4Vs3kbdLCvkyexXjn3xg/jRWB +qb1ee/FqYLpun24P+snLMPoOK9Crzb4uKQumSfwl2H44qo7iexB4JQHRwCMj7Q39 +K2roRRXTkqPLU8iuB8NFl8S6ftdgrSHIycH5T2rvb8b2uap6MS1RDJcWsq7YUCt6 +5J4rA0FUCHKjh2/9CNYfjDUSkS2lskrlHDTSR/8ALPjocUaH4msUtVjCM0qLyqkA +H8TyKSBnoELoOgFJf3VoITFcTBNy546gevtzXM6Rqd3fakWadyigsYw3y+gAH410 +O/PDZHHcU7E3LWnXED2SC2nE0ajG4HJ/GpJJeOtYlxYpJdxXMcssLxkE+SwXdj14 +qrf6jrP22SK0t4RFkFZZMYx/n8aANieXg1mXMnWla5lKRCSMFmB8xoz8qHHvzg1T +nlzVIRTuW61l3MyQRSTuNwjXdt9T2FXZ3zWfcRpPG8Mn3JBtJ9PQ/nVCO7+Dl49z +4f1BJG3Mt6XJ/wB5V/woqD4LwvDpurK45W5VT9QtFYPc1Wx6VXDfFi0M3hmG6A5t +rhSfoRj/AAruaz9d01dY0O809v8AlvEVX2bt+uKFowZ4z4Zbd4h04/8ATRv/AEBq +7+T53ufrXnXhffF4ls4JQVkildWB7EKwNehwnfLcD/aFXLcUThGs5bDUpYrgFWZ2 +dGHR1J6ip57C0voRHcQq6htwI+Ug4xkEVo+MJ0jksrYA+ZuMhPouMfzP6VnQyEqK +qOqJejMmfSr/AE8NNbzC6hjG7aQVlA/kcVueFtR+12Mrpceagk4Abdt4/rUiMeOe +aqS6UhuVubSaWymxtdrbC+YvoR6+9FhHRPcCNGaRgiqNzFjgAVmya/pYkZftSnH8 +QQlT9D3rmdbefT4o7KO6ne3ky+yV9xBB9euO+Kw2mfruNAj0OW8t/K837TB5eM7/ +ADBjFVp3IAOQQwyCDkEexrz95W9vrirula1LYyiOQu9s2Q0YPT3GehpgdJK2apzt +8hottQgv1k8pZEeMZIYg5GcZyKjuFkkKQxKXklYKijqSeAKdwPUvhdbeX4ZmutpH +2y7eUZ9AAv8ANTRXSaJpqaPotnpyYP2eIKxHdv4j+JyaKwe5qi/RRRSGeaeJ/Dx0 +3x7Yavbr/o967eZj+GQI38xz+dXdPffczD1cVu+Lzi0tT6Tj/wBBNc3oz7r5x6uK +roIwPFt5BeazFbQKGa1BWSQdycfL+GP1qCCPgU3+yprC/ltrpcSqxOezAnhge9aM +Nv04rRaIh7jEiNSSFLeF55c7I1LNjrgVcjt/alu9O+12U1uSUEqFNyjlcjrRcVjz +zVL6bU5xJIioqjCIo4Uf1NUDEfStiXTLizuHtboL5qc7l6OvZhTTZ+1K4WMZoSe1 +NFuSelbP2M9xT47As2FXJp3FYqaUptJ2fZu3IVwSR1r0L4f6FHqmsf2w8bC3sjhA +2CGlx29duc/UisHQ/DlzreoiwtPl24NxPjKwL/Vj2H9K9m07T7bStPhsbOPy4IV2 +qO/uT6knkmoky4otUUUVBYUUUUAc54yP+hWv/XwB+hrntOTyNbSP+84rs9Z04aja +qu7a8bh0OMjI9a5O6gvob3zjZAuDwyOMfryKaegEHjZTYva6qV8yFf3MqKMsueQw +9uDmq+nPZahGJLSdHz2zyKsXEOpagyC4IWOM5WNOmfUnuaxtT8NOJPtFoGt5uu6P +jP4U0xNHSx2bjtmrC2p/u1xEOr+J9MO1sXCj++OavxeO9Tj4m0vJ9jTuI09c8Nrq +UavGfKuI/wDVyhc49iO4rnToV/A/lXCI5xkPGCFI/HvWhL491BhiLSufc1l6hrXi +TVZQIALaPGOFyfc0gHzadBZxGW9nSFBydxp+nafPrEii0RrOyP3rmRfncf7Cn+Z/ +Wo9K8NXEl0Lm+L3EgOQZTux9K7W0s5BgYNFwsbOg2tlpVilnYxCOMHJ7s7HqxPc1 +sqcjNZNnbsuM1qoMLUlD6KKKACiiigBCM1E9tG55UVNRQBWNlF2UVC+mxP8Aw1fo +oAx5NDgfqg/KoG8N2p/5ZL+Vb9FAHPjw1ag/6pfyqZNBt06IPyraooAzU0qJOiir +CWcadBVqigBixhegp1LRQAUUUUAf/9mJAVMEEAECAD0FAkGz06wHCwkIBwMCCh4Y +bGRhcDovL2tleXNlcnZlci1iZXRhLnBncC5jb20FGwMAAAADFgIBBR4BAAAAAAoJ +EJcQuJvKV618ERsH/020sz1xtDSLdUBRN8/eZN92BXMdUf38TOSb96cHVY1XU2X1 +dDU/BzdRZQp9AZkP9YgUtg2CMgyqeksaNsvSmB1C92dJD5VRzrX2Xy7ugeqkDnzI +nmMbULl6jDDXmO4UZDzEivhwM20ocwx8BF69W6Eav7LRoEN2rVAW8QqVHPoeDb8h +WnwhSJo1FyY7mjm+c4aZbGB6sEqZH0pew45JTlecKv1lo9uyN/CAREBkE9LVDsud +WxLX8u12HTDPvlE5qMXq/zNUFksz89Z25af3zzWA+AE+EJHKSic7oSprjiSx0txK +NkWnRRRFZce2DmVZSI8S+Oy3Qdc3SdbYIDVAD7o= +=f41D -----END PGP PUBLIC KEY BLOCK-----