Symmetric cipher selection order, RSA keys

Brian M. Carlson
Fri May 17 18:30:01 2002

Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 13, 2002 at 07:29:08AM -0700, David Hollenberg wrote:
> I got GNUPG 1.0.7 and installed it on Solaris and it works great!  But I=
> have a few questions:
> 1. Suppose I encrypt a message to two public keys, whose symmetric cipher
>    preferences are:
> 	Key 1:  AES, CAST5, 3DES
> 	Key 2:  CAST5, AES, 3DES
>    Which cipher will GNUPG pick?  Can I influence GNUPG's choice
>    (e.g., via a list of ciphers that *I* prefer), other than by
>    using the --cipher-algo option?  What algorithm for selecting
>    symmetric cipher do other versions of PGP use, when there is
>    more than one choice?

I don't know. This is a question for Werner or David.
> 2. Can GNUPG generate RSA encryption keys or sign and encrypt keys?
>    If not, will it ever do so?  The only RSA choice I an find is "RSA
>    sign only".

You can generate a RSA sign key and then an encrypt subkey. I think CVS
has support for RSA sign and encrypt with --expert.

> 3. My company needs to be able to receive encrypted files (encrypted to
>    our public key) that we will decrypt.  There is no requirement for
>    signature verification and we don't need to send encrypted files to
>    others.  I would rather not support PGP 2.6.x.  If we do have to
>    support it, we could generate an RSA key from PGP 2.6.x, self-sign
>    it, import it into GNUPG and publish it as our 2.6.x public key (we
>    are licensed to use IDEA).  I have confirmed that this works, but
>    would this be a violation of the "no commercial use" clause of the 2.6=
>    license?  The public key would be generated by 2.6.x but only used
>    by GNUPG.

If you want to create a 2.6.x compatible key, you can use 2.62g, which is
under the GPL. This solves your licensing quandry.

> 4. Does anyone have any idea what percentage of people still use 2.6.x
>    instead of a (more or less) OpenPGP compliant version of PGP?
>    Is this percentage declining?

Key Version	# of Keys	% of Total Keys
Version 3	138,118		9.7716%
Version 4	1,275,344	90.2284%

You might want to take this with a grain of salt; I use a v3 key, but do
not use PGP 2.6.x.

> 5. I noticed that CERT issues a new public key periodically with a one=20
>    year expiration period.  If we don't need to sign messages, is
>    this a good model to use?

You can do this, or you can create subkeys that expire after a year. Howeve=
if you choose the subkey option, some keyservers may butcher your key.

Brian M. Carlson
OpenPGP: 0x351336B2DCA1913A

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Ubi libertas, ibi patria.