Which type of key should I choose and why?

L. Sassaman rabbi@quickie.net
Mon, 16 Oct 2000 18:48:54 -0700 (PDT) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Most users will only want option 1. 

As for key sizes... hardware is fast. Make a 1024/4096 bit key. (2048 is
the lowest you should go... some people think higher is pointless. But I
am paranoid.)

There might be reasons, such as having a code signing key or a
certification key, not to want/need an encryption subkey.

Please note that you will NEVER want to use option 4. I really wish Werner
would remove it unless explicitly re-enabled in the config file. (ElGamal
signing keys have some potential security flaws.)

The GnuPG docs aren't the best. I offered to improve them a while ago if
the authors would let me reprint them as an appendix in an email security
book I am working on, and they got prissy about GPL issues. Oh well.

Hope that helps.

On Sun, 15 Oct 2000, Paul L. Allen wrote:


> [Please Cc me any replies as I'm not subscribed to the list]

> 

> I was thinking of switching from one of the very early RSA/IDEA versions of

> PGP (which I understand quite well, having been involved in the porting

> effort to a minority platform) to the latest GPG.  I have to

> admit to being very confused about the different choices of keys.  I

> can't see anything in the docs explaining why I have the choice of

> three options for generating keypairs.  Or why anyone would need the

> sign-only option when a sign-and-encrypt option gives a superset of

> the functionality.  Or why option number one is preferable to option

> number four.  Or why option four is offered at all if number one is a

> reasonable default.  Or why number one is the default if number four is

> better.  

> 

> I'm especially worried because you recommend people don't choose the

> default keylength and explain why.  Maybe I ought not to choose the

> default keypair for good reasons which you don't happen to have

> documented.  There seems to be nothing explaining the advantages and

> disadvantages of the various possibilities.

> 

> I looked in the FAQ.  It didn't help.  Worse, the FAQ has a bloody awful

> user-interface.  I can understand an FAQ maintainter not wanting to end

> up answering all sorts of questions by himself.  But the following

> things make that FAQ seriously flawed:

> 

>   1) He won't accept questions unless they're accompanied by answers.

>   But the people with questions to ask won't know the answers and the

>   people who know the answers will find it difficult to spot areas where

>   the documentation is inadequate because they already know more a lot

>   about the subject.

>   

>   2) He won't actually accept questions at all because if it's not

>   already there it's not frequently-asked so you shouldn't be asking for 

>   it to be included in the FAQ.  And since you're not allowed to ask for

>   it to be included, it can never become frequently-asked, only

>   never-asked.  Circular situation.  There may well be many people out

>   there with good questions which a lot of people want answers to but

>   they give up because they're not allowed to ask them.

>   

>   3) The above two points are mitigated by the existence of this mailing

>   list, where people can ask infrequently-asked questions, get answers

>   and maybe those will make it into the FAQ if enough people ask them.

>   Except he doesn't mention the existence of this list.  I spotted a

>   mention of it by accident about 30s before I was due to give up in

>   disgust over the FAQ.  That the FAQ doesn't mention this list as the

>   place to submit questions which the FAQ doesn't answer is a serious

>   flaw.  That bald paragraph at the start is enough to put most people

>   off for good.

>   

> This is not good user-interface design.  GPG's user-interface may be

> nicer than PGP's interface, as you claim.  PGP's FAQ interface is a lot

> better in some areas...

> 

> -- 

> Paul

> 

> -- 

> Archive is at http://lists.gnupg.org - Unsubscribe by sending mail

> with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org

> 


__

L. Sassaman

Security Architect             |  "Lose your dreams and you
Technology Consultant          |   will lose your mind."
                               |   
http://sion.quickie.net        |       --The Rolling Stones

-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE567ANPYrxsgmsCmoRAoHRAJ4zMgic/YirZ6K/J+fzcXiOxAOOhQCg+X7q
dnbk06QPPF6zd4Two9YzhbM=
=/kYB
-----END PGP SIGNATURE-----

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org