most convenient key type?
Sat Aug 17 16:32:02 2002
On Fri, Aug 16, 2002 at 10:17:34PM +0200, Janusz A. Urbanowicz wrote:
> David Shaw napisa?[a]/wrote/schrieb:
> > > > "large sigs" problem with RSA (I don't recommend Elgamal signatures at
> > > > all).
> > >
> > > 1024 bit keys are generally not looked upon highly in terms of security.
> > > Applied Cryptography recommends 2048, IIRC.
> > It's an interesting problem with DSA - supposedly the 1024 bit limit
> > balances fairly well in terms of strength with the 160-bit hash you
> > use with it. Even if you made a 2048 bit DSA key, the weak point
> > would be the 160-bit hash. Of course, it can be argued that a large
> > key is more important than a large hash. Still, a "better DSA" should
> > really raise both the key size and the hash size.
> This is an interesting problem in key management. I know that longer primary
> key does not make the whole protocol safer at the moment. But I am not
> thinking about the very moment. What I want to archieve is to avoid a need
> to change the primary key in my lifetime. If I make a primary key long
> enogh, the weakest link is the hash, which will grow longer with time. But
> if I would make a 'standard' DSS key, and year ago it would show that 1024
> bit DSS is breakable with a reasonable budget I would be hosed and forced to
> replace the whole key including the primary. But if the subkey will appear
> to be vulnerable, no problem. The subkeys are expendable and can be replaced
> Am I missing something?
Sounds about right to me. This is pretty much the same thought
process I followed when I decided on a big (4096) RSA primary, a DSA
signing subkey, and an Elgamal encrypting subkey. Remember that
you'll have a few signatures made with the weaker hash floating around
until the better hash arrives.
There are still the two catches I mentioned before - most keyservers
don't like this key and until the keyserver bugs are fixed, I can't
upload the whole key (I have to leave off one of the subkeys to avoid
the key corruption bug), and that PGP won't verify a signature made by
the signing subkey. GnuPG and PGP-ckt will.
David Shaw | firstname.lastname@example.org | WWW http://www.jabberwocky.com/
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson