Which type of key should I choose and why?
Paul L. Allen
Sun, 15 Oct 2000 01:07:29 +0100
[Please Cc me any replies as I'm not subscribed to the list]
I was thinking of switching from one of the very early RSA/IDEA versions of
PGP (which I understand quite well, having been involved in the porting
effort to a minority platform) to the latest GPG. I have to
admit to being very confused about the different choices of keys. I
can't see anything in the docs explaining why I have the choice of
three options for generating keypairs. Or why anyone would need the
sign-only option when a sign-and-encrypt option gives a superset of
the functionality. Or why option number one is preferable to option
number four. Or why option four is offered at all if number one is a
reasonable default. Or why number one is the default if number four is
I'm especially worried because you recommend people don't choose the
default keylength and explain why. Maybe I ought not to choose the
default keypair for good reasons which you don't happen to have
documented. There seems to be nothing explaining the advantages and
disadvantages of the various possibilities.
I looked in the FAQ. It didn't help. Worse, the FAQ has a bloody awful
user-interface. I can understand an FAQ maintainter not wanting to end
up answering all sorts of questions by himself. But the following
things make that FAQ seriously flawed:
1) He won't accept questions unless they're accompanied by answers.
But the people with questions to ask won't know the answers and the
people who know the answers will find it difficult to spot areas where
the documentation is inadequate because they already know more a lot
about the subject.
2) He won't actually accept questions at all because if it's not
already there it's not frequently-asked so you shouldn't be asking for
it to be included in the FAQ. And since you're not allowed to ask for
it to be included, it can never become frequently-asked, only
never-asked. Circular situation. There may well be many people out
there with good questions which a lot of people want answers to but
they give up because they're not allowed to ask them.
3) The above two points are mitigated by the existence of this mailing
list, where people can ask infrequently-asked questions, get answers
and maybe those will make it into the FAQ if enough people ask them.
Except he doesn't mention the existence of this list. I spotted a
mention of it by accident about 30s before I was due to give up in
disgust over the FAQ. That the FAQ doesn't mention this list as the
place to submit questions which the FAQ doesn't answer is a serious
flaw. That bald paragraph at the start is enough to put most people
off for good.
This is not good user-interface design. GPG's user-interface may be
nicer than PGP's interface, as you claim. PGP's FAQ interface is a lot
better in some areas...
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org