X-Git-Url: http://git.sthu.org/?a=blobdiff_plain;f=caff%2FREADME.many-keys;h=cc709e8a86af8b9f57b45ed2f653db868b9562a7;hb=19c5ad0c18bc815c0507ae0f83eb33c7798db932;hp=ce57d5ece656360aa8339204da3897e95436959e;hpb=72d0da607a296094cdffd068f011ce28106097fe;p=pgp-tools.git diff --git a/caff/README.many-keys b/caff/README.many-keys index ce57d5e..cc709e8 100644 --- a/caff/README.many-keys +++ b/caff/README.many-keys @@ -17,27 +17,47 @@ Some hints to get the signing done faster: * v3 keys are evil. - Sign v3 separately. Batch processing does not work. See README.v3-keys. + V3 keys (pgp 2.6x keys) are deprecated. Not only do they rely on md5 for + their fingerprint and signatures, they also use the patented IDEA algorithm + for encryption. Also, there are several attacks that make creating new keys + with the same keyid trivial. Others make it possible to create different + keys with the same fingerprint (tho the key will not actually contain valid + RSA parameters). + + Because of these problems a lot of people (like caff's author) refuse to sign + v3 keys these days. + + If you still want to sign v3 keys, sign v3 separately. Batch processing does + not work. See README.v3-keys. * Use multiple passes. Going through retrieving, signing, and mailing keys can help, e.g.: - $ caff -SEM `cat ksp-fingerprints.txt` - $ caff -REM `cat ksp-fingerprints.txt` - $ caff -RSE `cat ksp-fingerprints.txt` + $ caff --no-sign --no-export-old --no-mail `cat ksp-fingerprints.txt` + $ caff --no-download --no-export-old --no-mail `cat ksp-fingerprints.txt` + $ caff --no-download --no-sign --no-export-old `cat ksp-fingerprints.txt` * If you have multiple local keys, only send mail once after signing with all. caff will send out all previously done signatures in the message. (Of course you have to configure $CONFIG{'keyid'} to contain all your key ids.) - $ caff -EM -u - $ caff -RE -u + $ caff --no-export-old --no-mail -u + $ caff --no-download --no-export-old -u * Use gpg-agent. See README.gpg-agent. - -- Christoph Berg Sat, 2 Jul 2005 21:22:07 +0200 +* Use gpg-sign-args. + + $CONFIG{'gpg-sign-args'} = "save"; + + This automatically saves the key after signing in gpg. The advantage is that + you do not have to type "save" for each key. The disadvantage is that you + cannot choose which UIDs to sign by answering "no" at the "Really sign?" + prompt any more; you will have *not* to send out some mails. (And you have + unwanted signatures lingering around in ~/.caff/gnupghome/pubring.gpg.) + -- Christoph Berg Wed, 6 Jul 2005 13:46:16 +0200