Which type of key should I choose and why?

[Paul L. Allen]

On Sun, Oct 15, 2000 at 08:29:59PM +0100, David Pick wrote:
> 
> >                                         Or why anyone would need the
> > sign-only option when a sign-and-encrypt option gives a superset of
> > the functionality.
> 
> Because if it's "sign-only" it can't be used for encryption. If it
> can't be used for encryption the British police can't serve you
> with a notice under RIPA requiring you to reveal it. 

I take it you meant "RIPE" and that was a typo.  They'll still suspect
that you have an encryption key (possibly signed by your sign-only key)
hidden elsewhere.

> So they can't use it to forge your signature on anything incriminating.

That's the least of your worries about RIPE.  Perpetual imprisonment is
another.  You can't be tried and jailed twice for the same offence.  But
if they ask you for your key and you refuse and get jailed, when you
come out and they ask you again and you refuse again, that's a separate
crime.  You can't duck a longer jail sentence for your real crime by
refusing to hand over your key because they'll just keep putting you
back inside until you've served more time than you would have if you had
originally revealed your key - at that point you'll hand your key over,
because they'll just keep going if you don't.

> If you want both you should use a pair of keys, one for
> encryption and the other for signatures. That way, if you are
> unlucky enough to get such a notice you can reveal only the
> encryption key (if you're prepared to do so rather than get charged).

See above.  Refusing to hand over your encryption key effectively gets
you a life sentence if you're stubborn.  If you're going to give in
eventually, sooner rather than later is a better option.  Unless the
stuff you don't want them to see is time-sensitive in some way and you
can escape conviction for your real crime if you hide the details long
enough.

> "Version 4" key formats allow a "key" packet to contain multiple
> cryptographic keys with different properties which are grouped and
> can be signed (for authenticity) *as* a group. One snag with GnuPG
> (at least the earlier version I looked at in some depth) doesn't
> allow different passphrases to be used for the different keys in
> the key packet; although the packet format allows it.

Thanks for your answers.  You've cleared up the query about why
signature-only.  Now all I need to know is under what circumstances
DSA+ElGamal is preferable to ElGamal (sign and encrypt) and vice
versa.  Does it come down to being able to delete the signature key
if you're quick enough (to at least stop them forging stuff in your
name)? You still have to reveal your encryption key or face a life sentence,
and that's likely to be more incriminating if you're a real criminal.

Basically, I'd like to know if the difference between the options is
technical (this cipher or this signature algorithm is stronger) or
operational (you can delete one of the keys if you need to and have
the time and maybe have some degree of protection against some forms
or abuse by authority).

Come to that, now RSA let the patent go early, are there any advantages to
using that instead of the others?

> BTW talking of "minority platforms" I'm typing this sat at an
> Acorn RiscPC...

I coded some of the PGP modules in Acorn assembler to speed up Chris
Gransden's port back in the days when the A400 was still widely used
and we really needed the speed gain hand-tweaked assembler could provide.

-- 
Paul

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org