most convenient key type?

Janusz A. Urbanowicz alex@FUCKUP.fantastyka.net
Fri Aug 16 22:17:02 2002


David Shaw napisa=B3[a]/wrote/schrieb:
> > > "large sigs" problem with RSA (I don't recommend Elgamal signatures at
> > > all).
> >=20
> > 1024 bit keys are generally not looked upon highly in terms of security.
> > Applied Cryptography recommends 2048, IIRC.
>=20
> It's an interesting problem with DSA - supposedly the 1024 bit limit
> balances fairly well in terms of strength with the 160-bit hash you
> use with it.  Even if you made a 2048 bit DSA key, the weak point
> would be the 160-bit hash.  Of course, it can be argued that a large
> key is more important than a large hash.  Still, a "better DSA" should
> really raise both the key size and the hash size.

This is an interesting problem in key management. I know that longer primary
key does not make the whole protocol safer at the moment. But I am not
thinking about the very moment. What I want to archieve is to avoid a need
to change the primary key in my lifetime. If I make a primary key long
enogh, the weakest link is the hash, which will grow longer with time. But
if I would make a 'standard' DSS key, and year ago it would show that 1024
bit DSS is breakable with a reasonable budget I would be hosed and forced to
replace the whole key including the primary. But if the subkey will appear
to be vulnerable, no problem. The subkeys are expendable and can be replaced
easily.

Am I missing something?

Alex