most convenient key type?

David Shaw
Fri Aug 16 21:46:01 2002

On Fri, Aug 16, 2002 at 07:07:33PM +0000, Brian M. Carlson wrote:
> On Fri, Aug 16, 2002 at 10:38:02AM -0400, David Shaw wrote:
> > This does not make it the best choice however.  v3 RSA keys can't have
> > subkeys, so you lose that benefit.  You also lose most of the new
> > OpenPGP features, and RSA signatures grow in size as the key size
> > grows, so if your RSA key is big, your sigs are too.
> Yes, the lack of subkeys on v3 keys is disappointing. Everything else can
> be overcome with v4 signatures.

This is true, but then you give up some of that interoperability,
since PGP 2.x versions (except modified ones) won't handle the v4
signature on the v3 key.  You need a program that handles v4
signatures so you might as well use a v4 key.  It's a good trick to
"upgrade" old v3 keys though.

> > If you want to avoid the DSA 1024 bit limit, then you are back in the
> > "large sigs" problem with RSA (I don't recommend Elgamal signatures at
> > all).
> 1024 bit keys are generally not looked upon highly in terms of security.
> Applied Cryptography recommends 2048, IIRC.

It's an interesting problem with DSA - supposedly the 1024 bit limit
balances fairly well in terms of strength with the 160-bit hash you
use with it.  Even if you made a 2048 bit DSA key, the weak point
would be the 160-bit hash.  Of course, it can be argued that a large
key is more important than a large hash.  Still, a "better DSA" should
really raise both the key size and the hash size.

> > One possible solution is to do what I did: a RSA primary key, with an
> > Elgamal encryption subkey and a DSA signing subkey.  The RSA primary
> > can be whatever size you like and is used for signing the subkeys
> > (note that using a big primary key generally makes the hash the weak
> > point).  This works well with the GnuPG feature to use a secret key
> > without a primary.  I keep my large primary offline, and use the two
> > subkeys for actual work.
> I liked what you did, so I created something similar for my laptop key. I
> have a primary key, which signs subkeys, a data signing subkey, a key
> signing subkey, and an encryption subkey. However, the key signing subkey
> doesn't sign keys, making it very useless. If this is unavailable,
> consider this a wishlist bug. If this is available, please tell me how I
> can get it to work, as I've tried everything, including -u DEADBEEF! .

It actually used to be available, but was removed.  The main reason is
that the web of trust is currently built via signatures from and on
primary keys only.  Subkeys making key signatures would split the web
of trust into the PGP half (primary keys only) and the GnuPG half
(primary + subkeys).


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson