Which type of key should I choose and why?

Paul L. Allen pla@softflare.net
Sun, 15 Oct 2000 22:25:13 +0100

On Sun, Oct 15, 2000 at 08:29:59PM +0100, David Pick wrote:

> > Or why anyone would need the
> > sign-only option when a sign-and-encrypt option gives a superset of
> > the functionality.
> Because if it's "sign-only" it can't be used for encryption. If it
> can't be used for encryption the British police can't serve you
> with a notice under RIPA requiring you to reveal it.
I take it you meant "RIPE" and that was a typo. They'll still suspect that you have an encryption key (possibly signed by your sign-only key) hidden elsewhere.
> So they can't use it to forge your signature on anything incriminating.
That's the least of your worries about RIPE. Perpetual imprisonment is another. You can't be tried and jailed twice for the same offence. But if they ask you for your key and you refuse and get jailed, when you come out and they ask you again and you refuse again, that's a separate crime. You can't duck a longer jail sentence for your real crime by refusing to hand over your key because they'll just keep putting you back inside until you've served more time than you would have if you had originally revealed your key - at that point you'll hand your key over, because they'll just keep going if you don't.
> If you want both you should use a pair of keys, one for
> encryption and the other for signatures. That way, if you are
> unlucky enough to get such a notice you can reveal only the
> encryption key (if you're prepared to do so rather than get charged).
See above. Refusing to hand over your encryption key effectively gets you a life sentence if you're stubborn. If you're going to give in eventually, sooner rather than later is a better option. Unless the stuff you don't want them to see is time-sensitive in some way and you can escape conviction for your real crime if you hide the details long enough.
> "Version 4" key formats allow a "key" packet to contain multiple
> cryptographic keys with different properties which are grouped and
> can be signed (for authenticity) *as* a group. One snag with GnuPG
> (at least the earlier version I looked at in some depth) doesn't
> allow different passphrases to be used for the different keys in
> the key packet; although the packet format allows it.
Thanks for your answers. You've cleared up the query about why signature-only. Now all I need to know is under what circumstances DSA+ElGamal is preferable to ElGamal (sign and encrypt) and vice versa. Does it come down to being able to delete the signature key if you're quick enough (to at least stop them forging stuff in your name)? You still have to reveal your encryption key or face a life sentence, and that's likely to be more incriminating if you're a real criminal. Basically, I'd like to know if the difference between the options is technical (this cipher or this signature algorithm is stronger) or operational (you can delete one of the keys if you need to and have the time and maybe have some degree of protection against some forms or abuse by authority). Come to that, now RSA let the patent go early, are there any advantages to using that instead of the others?
> BTW talking of "minority platforms" I'm typing this sat at an
> Acorn RiscPC...
I coded some of the PGP modules in Acorn assembler to speed up Chris Gransden's port back in the days when the A400 was still widely used and we really needed the speed gain hand-tweaked assembler could provide. -- Paul -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org