Which type of key should I choose and why?

L. Sassaman rabbi@quickie.net
Mon, 16 Oct 2000 18:48:54 -0700 (PDT)

Hash: SHA1

Most users will only want option 1. 

As for key sizes... hardware is fast. Make a 1024/4096 bit key. (2048 is
the lowest you should go... some people think higher is pointless. But I
am paranoid.)

There might be reasons, such as having a code signing key or a
certification key, not to want/need an encryption subkey.

Please note that you will NEVER want to use option 4. I really wish Werner
would remove it unless explicitly re-enabled in the config file. (ElGamal
signing keys have some potential security flaws.)

The GnuPG docs aren't the best. I offered to improve them a while ago if
the authors would let me reprint them as an appendix in an email security
book I am working on, and they got prissy about GPL issues. Oh well.

Hope that helps.

On Sun, 15 Oct 2000, Paul L. Allen wrote:

> [Please Cc me any replies as I'm not subscribed to the list]
> I was thinking of switching from one of the very early RSA/IDEA versions of
> PGP (which I understand quite well, having been involved in the porting
> effort to a minority platform) to the latest GPG. I have to
> admit to being very confused about the different choices of keys. I
> can't see anything in the docs explaining why I have the choice of
> three options for generating keypairs. Or why anyone would need the
> sign-only option when a sign-and-encrypt option gives a superset of
> the functionality. Or why option number one is preferable to option
> number four. Or why option four is offered at all if number one is a
> reasonable default. Or why number one is the default if number four is
> better.
> I'm especially worried because you recommend people don't choose the
> default keylength and explain why. Maybe I ought not to choose the
> default keypair for good reasons which you don't happen to have
> documented. There seems to be nothing explaining the advantages and
> disadvantages of the various possibilities.
> I looked in the FAQ. It didn't help. Worse, the FAQ has a bloody awful
> user-interface. I can understand an FAQ maintainter not wanting to end
> up answering all sorts of questions by himself. But the following
> things make that FAQ seriously flawed:
> 1) He won't accept questions unless they're accompanied by answers.
> But the people with questions to ask won't know the answers and the
> people who know the answers will find it difficult to spot areas where
> the documentation is inadequate because they already know more a lot
> about the subject.
> 2) He won't actually accept questions at all because if it's not
> already there it's not frequently-asked so you shouldn't be asking for
> it to be included in the FAQ. And since you're not allowed to ask for
> it to be included, it can never become frequently-asked, only
> never-asked. Circular situation. There may well be many people out
> there with good questions which a lot of people want answers to but
> they give up because they're not allowed to ask them.
> 3) The above two points are mitigated by the existence of this mailing
> list, where people can ask infrequently-asked questions, get answers
> and maybe those will make it into the FAQ if enough people ask them.
> Except he doesn't mention the existence of this list. I spotted a
> mention of it by accident about 30s before I was due to give up in
> disgust over the FAQ. That the FAQ doesn't mention this list as the
> place to submit questions which the FAQ doesn't answer is a serious
> flaw. That bald paragraph at the start is enough to put most people
> off for good.
> This is not good user-interface design. GPG's user-interface may be
> nicer than PGP's interface, as you claim. PGP's FAQ interface is a lot
> better in some areas...
> --
> Paul
> --
> Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
> with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
__ L. Sassaman Security Architect | "Lose your dreams and you Technology Consultant | will lose your mind." | http://sion.quickie.net | --The Rolling Stones -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE567ANPYrxsgmsCmoRAoHRAJ4zMgic/YirZ6K/J+fzcXiOxAOOhQCg+X7q dnbk06QPPF6zd4Two9YzhbM= =/kYB -----END PGP SIGNATURE----- -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org