most convenient key type?

David Shaw dshaw@jabberwocky.com
Fri Aug 16 16:37:01 2002


On Thu, Aug 15, 2002 at 10:34:50PM +0200, Janusz A. Urbanowicz wrote:
> Hello
> 
> Due to compromise of my secret key I'm gonna generate new keys for my
> personal use. The problem is I am not sure which type I should go for. I'd
> like to have the most interoperability I can get, while avoiding DSA 1024
> bits limit.

The most interoperable key type is the PGP 2.x style v3 RSA keys.
This does not make it the best choice however.  v3 RSA keys can't have
subkeys, so you lose that benefit.  You also lose most of the new
OpenPGP features, and RSA signatures grow in size as the key size
grows, so if your RSA key is big, your sigs are too.

The best 'all round' key is a DSA signing key with an Elgamal
encryption subkey.  This is the default key in PGP and GnuPG and is
nearly as widely supported as PGP 2.x keys.

If you want to avoid the DSA 1024 bit limit, then you are back in the
"large sigs" problem with RSA (I don't recommend Elgamal signatures at
all).

One possible solution is to do what I did: a RSA primary key, with an
Elgamal encryption subkey and a DSA signing subkey.  The RSA primary
can be whatever size you like and is used for signing the subkeys
(note that using a big primary key generally makes the hash the weak
point).  This works well with the GnuPG feature to use a secret key
without a primary.  I keep my large primary offline, and use the two
subkeys for actual work.

One disadvantage with this is the common keyserver bug that mangles
keys with more than one subkey.  Until that bug is fixed, you can't
really distribute the key with all the subkeys attached.  The other
disadvantage is that all versions of PGP have a bug in that it cannot
verify signatures made by a signing subkey.  GnuPG and Imad's PGP-ckt
can.

> BTW: I noticed that ElGamal sign+encrypt key generation is missing from
> options in 1.1.91. Why?

Because it's not the most convenient or interoperable key type ;)

Elgamal sign+encrypt is still there, if you add an --expert to your
command line.  You can also make RSA sign+encrypt that way.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson