Standards and PGP wraper

David Pick D.M.Pick at
Tue Nov 10 11:20:58 CET 1998


> Niklas Hernaeus <nh at> writes:
> > The reason to split the key to one encryption key and one signing key is
> > not that technical.  One reason that this was done to PGP was the side
> Some cryptographers believe that different keys for signing and
> encryption are more secure.

And I don't see how the use of different keys could be any *worse*!

> > effect to make key escrow possible, and that is a purely political issue.
>   * and because it is not possible to use DSA for encryption (yes I know
>     there is a workaround).
>   * ElGamal signatures are much slower and the sigantures are larger
>   * PGP Inc. didn't figure out how to avoid the Bleichenbacher attack on
>     ElGamal signatures (The code for Elgamal signatures is in pgp 5.0
>     but it commented out
> > I find key escrow to be a very bad solution to a problem, both technically
> > and politically, for several reasons, and I therefore see no reason at all
> > to use a split key solution.
> I can't see how you can use split key (we should better call it
> secondary keys - because "split key" is normally used for a different
> task) for key escrow.  Okay, it makes it easy to change the encryption
> key - whether this helps key escrow is not clear.

But, ignoring key *escrow* for the moment (where you pre-deposit your
private key), there's another issue. In the UK we are likely to get
laws which will make it a criminal offence to refuse to reveal an
encryption key *when served with an appropriate warrant*. I don't
have any problem with this proposal, personally, provided it only
applies to encryption keys and not to signature keys. Now we get on
to the practicalities: the Police are conducting a search and seize
your computer for forensic examination - and make certified disc dumps
on write-once media. They then discover encrypted material and (under
the law) demand the encryption key(s). The simplest way to comply is
to reveal your pass phrase so they can decrypt the keys in the keyring
they already have on the certified copies.

**But it is essential that there are different passphrases for signatures
and encryption keys.** Otherwise you would be revealing the signature key
as well as the encryption key, And I'd have considerable problem with
doing that.

BTW, the proposals in the UK are only proposals so far and *are* likely
to distinguish between encryption and signature keys so that you can't
be forced to reveal signature keys. But all UK subjects whould watch
out for this...

- -- 
	David Pick
	D.M.Pick at
a.k.a.	Hostmaster at

Version: 2.6.3ia
Charset: noconv


More information about the Gnupg-devel mailing list