V3 keys (pgp 2.6x keys) are deprecated. Not only do they rely on md5 for
their fingerprint and signatures, they also use the patented IDEA algorithm
- for encryption. Many people (like caff's author) refuse to sign v3 keys
- these days.
+ for encryption. Also, there are several attacks that make creating new keys
+ with the same keyid trivial. Others make it possible to create different
+ keys with the same fingerprint (tho the key will not actually contain valid
+ RSA parameters).
- If you want to sign v3 keys, sign v3 separately. Batch processing does not
- work. See README.v3-keys.
+ Because of these problems a lot of people (like caff's author) refuse to sign
+ v3 keys these days.
+
+ If you still want to sign v3 keys, sign v3 separately. Batch processing does
+ not work. See README.v3-keys.
* Use multiple passes.
caff will send out all previously done signatures in the message. (Of course
you have to configure $CONFIG{'keyid'} to contain all your key ids.)
- $ caff --no-export-old --no-mail -u <mykey1> <other_key>
- $ caff --no-download --no-export-old -u <mykey2> <other_key>
+ $ caff --no-export-old --no-mail -u <mykey1> <keyids to sign>
+ $ caff --no-download --no-export-old -u <mykey2> <keyids to sign>
* Use gpg-agent.
See README.gpg-agent.
- -- Christoph Berg <cb@df7cb.de> Sat, 2 Jul 2005 21:22:07 +0200
+* Use gpg-sign-args.
+
+ $CONFIG{'gpg-sign-args'} = "save";
+
+ This automatically saves the key after signing in gpg. The advantage is that
+ you do not have to type "save" for each key. The disadvantage is that you
+ cannot choose which UIDs to sign by answering "no" at the "Really sign?"
+ prompt any more; you will have *not* to send out some mails. (And you have
+ unwanted signatures lingering around in ~/.caff/gnupghome/pubring.gpg.)
+ -- Christoph Berg <cb@df7cb.de> Wed, 6 Jul 2005 13:46:16 +0200