most convenient key type?

David Shaw dshaw@jabberwocky.com
Sat Aug 17 16:32:02 2002 

On Fri, Aug 16, 2002 at 10:17:34PM +0200, Janusz A. Urbanowicz wrote:
> David Shaw napisa?[a]/wrote/schrieb:
> > > > "large sigs" problem with RSA (I don't recommend Elgamal signatures at
> > > > all).
> > > 
> > > 1024 bit keys are generally not looked upon highly in terms of security.
> > > Applied Cryptography recommends 2048, IIRC.
> > 
> > It's an interesting problem with DSA - supposedly the 1024 bit limit
> > balances fairly well in terms of strength with the 160-bit hash you
> > use with it.  Even if you made a 2048 bit DSA key, the weak point
> > would be the 160-bit hash.  Of course, it can be argued that a large
> > key is more important than a large hash.  Still, a "better DSA" should
> > really raise both the key size and the hash size.
> 
> This is an interesting problem in key management. I know that longer primary
> key does not make the whole protocol safer at the moment. But I am not
> thinking about the very moment. What I want to archieve is to avoid a need
> to change the primary key in my lifetime. If I make a primary key long
> enogh, the weakest link is the hash, which will grow longer with time. But
> if I would make a 'standard' DSS key, and year ago it would show that 1024
> bit DSS is breakable with a reasonable budget I would be hosed and forced to
> replace the whole key including the primary. But if the subkey will appear
> to be vulnerable, no problem. The subkeys are expendable and can be replaced
> easily.
> 
> Am I missing something?

Sounds about right to me.  This is pretty much the same thought
process I followed when I decided on a big (4096) RSA primary, a DSA
signing subkey, and an Elgamal encrypting subkey.  Remember that
you'll have a few signatures made with the weaker hash floating around
until the better hash arrives.

There are still the two catches I mentioned before - most keyservers
don't like this key and until the keyserver bugs are fixed, I can't
upload the whole key (I have to leave off one of the subkeys to avoid
the key corruption bug), and that PGP won't verify a signature made by
the signing subkey.  GnuPG and PGP-ckt will.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson