most convenient key type?

[Brian M. Carlson]

--oJ71EGRlYNjSvfq7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 16, 2002 at 10:38:02AM -0400, David Shaw wrote:
> On Thu, Aug 15, 2002 at 10:34:50PM +0200, Janusz A. Urbanowicz wrote:
> > Hello
> >=20
> > Due to compromise of my secret key I'm gonna generate new keys for my
> > personal use. The problem is I am not sure which type I should go for. =
I'd
> > like to have the most interoperability I can get, while avoiding DSA 10=
24
> > bits limit.
>=20
> The most interoperable key type is the PGP 2.x style v3 RSA keys.

If you want one of these, you can use one of the old hacked GPL'd PGP
versions. I think it's 2.62g that generates v3 keys but works like 2.6.3,
so you can have the ethics of free software, and the convenience of
compatibility.

> This does not make it the best choice however.  v3 RSA keys can't have
> subkeys, so you lose that benefit.  You also lose most of the new
> OpenPGP features, and RSA signatures grow in size as the key size
> grows, so if your RSA key is big, your sigs are too.

Yes, the lack of subkeys on v3 keys is disappointing. Everything else can
be overcome with v4 signatures.

> The best 'all round' key is a DSA signing key with an Elgamal
> encryption subkey.  This is the default key in PGP and GnuPG and is
> nearly as widely supported as PGP 2.x keys.

The reason DSA has smaller signatures is because of q, which is fixed at
160 bits. If Elgamal had q, it would be smaller too. Of course, then it
would be DSA.
=20
> If you want to avoid the DSA 1024 bit limit, then you are back in the
> "large sigs" problem with RSA (I don't recommend Elgamal signatures at
> all).

1024 bit keys are generally not looked upon highly in terms of security.
Applied Cryptography recommends 2048, IIRC.

> One possible solution is to do what I did: a RSA primary key, with an
> Elgamal encryption subkey and a DSA signing subkey.  The RSA primary
> can be whatever size you like and is used for signing the subkeys
> (note that using a big primary key generally makes the hash the weak
> point).  This works well with the GnuPG feature to use a secret key
> without a primary.  I keep my large primary offline, and use the two
> subkeys for actual work.

I liked what you did, so I created something similar for my laptop key. I
have a primary key, which signs subkeys, a data signing subkey, a key
signing subkey, and an encryption subkey. However, the key signing subkey
doesn't sign keys, making it very useless. If this is unavailable,
consider this a wishlist bug. If this is available, please tell me how I
can get it to work, as I've tried everything, including -u DEADBEEF! .
=20
> > BTW: I noticed that ElGamal sign+encrypt key generation is missing from
> > options in 1.1.91. Why?
>=20
> Because it's not the most convenient or interoperable key type ;)

It may not be, but 28 people like it. ;-)
=20
--=20
Brian M. Carlson <karlsson@hal-pc.org> <http://decoy.wox.org/~bmc> 0x560553=
E7
The [Ford Foundation] is a large body of money completely surrounded by
people who want some.
		-- Dwight MacDonald

--oJ71EGRlYNjSvfq7
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.90 (GNU/Linux)
Comment: Ubi libertas, ibi patria.

iQFKBAEBAwA0BQI9XU10LRpodHRwOi8vZGVjb3kud294Lm9yZy9+Ym1jL29wZW5w
Z3AvcG9saWN5LnRleAAKCRDlkf/JVgVT5/cbCACbYVR+3OzTwIJUp8nSFFN6I8bK
FNZ+kKpToeO+NCXy/LFyuFTJFT+TbYApVu888hkf17714lzani3y4Bg1G5+bYfb7
njrE0pPNkrinxHwCQJbJpSbfJvbjy7G8a7KREQ9Rfho7tveFnmNLezmGnn9mGle5
v/ECikxPADIFnlfLaMPYPLk4BTms9egxg14/WkwgekCTV29ozfoVJw+5OoBlxLyg
4iqYqZQso4rMAtyx+5lcsIOIoYhKXmXyLaGCg7o2bYzuroO+R2z9Ik1gmsNSJqWm
vC5uguwJkRlDTBQM0TNwMtKc6C6PcN6mAms0kRXYqtgQBJ489WMnOsq/lEdn
=jkF6
-----END PGP SIGNATURE-----
Signature policy: http://decoy.wox.org/~bmc/openpgp/policy.tex

--oJ71EGRlYNjSvfq7--