Symmetric cipher selection order, RSA keys

Brian M. Carlson karlsson@hal-pc.org
Fri May 17 18:30:01 2002 

--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 13, 2002 at 07:29:08AM -0700, David Hollenberg wrote:
> I got GNUPG 1.0.7 and installed it on Solaris and it works great!  But I=
=20
> have a few questions:
>=20
> 1. Suppose I encrypt a message to two public keys, whose symmetric cipher
>    preferences are:
>=20
> 	Key 1:  AES, CAST5, 3DES
> 	Key 2:  CAST5, AES, 3DES
>=20
>    Which cipher will GNUPG pick?  Can I influence GNUPG's choice
>    (e.g., via a list of ciphers that *I* prefer), other than by
>    using the --cipher-algo option?  What algorithm for selecting
>    symmetric cipher do other versions of PGP use, when there is
>    more than one choice?

I don't know. This is a question for Werner or David.
=20
> 2. Can GNUPG generate RSA encryption keys or sign and encrypt keys?
>    If not, will it ever do so?  The only RSA choice I an find is "RSA
>    sign only".

You can generate a RSA sign key and then an encrypt subkey. I think CVS
has support for RSA sign and encrypt with --expert.

> 3. My company needs to be able to receive encrypted files (encrypted to
>    our public key) that we will decrypt.  There is no requirement for
>    signature verification and we don't need to send encrypted files to
>    others.  I would rather not support PGP 2.6.x.  If we do have to
>    support it, we could generate an RSA key from PGP 2.6.x, self-sign
>    it, import it into GNUPG and publish it as our 2.6.x public key (we
>    are licensed to use IDEA).  I have confirmed that this works, but
>    would this be a violation of the "no commercial use" clause of the 2.6=
.x
>    license?  The public key would be generated by 2.6.x but only used
>    by GNUPG.

If you want to create a 2.6.x compatible key, you can use 2.62g, which is
under the GPL. This solves your licensing quandry.

> 4. Does anyone have any idea what percentage of people still use 2.6.x
>    instead of a (more or less) OpenPGP compliant version of PGP?
>    Is this percentage declining?

Key Version	# of Keys	% of Total Keys
Version 3	138,118		9.7716%
Version 4	1,275,344	90.2284%

You might want to take this with a grain of salt; I use a v3 key, but do
not use PGP 2.6.x.

> 5. I noticed that CERT issues a new public key periodically with a one=20
>    year expiration period.  If we don't need to sign messages, is
>    this a good model to use?

You can do this, or you can create subkeys that expire after a year. Howeve=
r,
if you choose the subkey option, some keyservers may butcher your key.

--=20
Brian M. Carlson
<karlsson@hal-pc.org>
OpenPGP: 0x351336B2DCA1913A

--T4sUOijqQbZv57TR
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Ubi libertas, ibi patria.

iQEVAwUBPOUwO+WR/8lWBVPnAQOc2AgAoH6vsn7O6L6O1iSFeIcYh7wdBMgpkvOK
nsk8Y7K4L2entQk05Amb6tRj0z4YdoZ5xRhWTve4NUOz15Nt6diKfYBSszbhvXru
JQtRW7y/Kd/kGJcVCEMf5Z8KyV/VnVDB+irqvpnmDZkZaJRHxq7UuZy3g8kWC6zm
eCYRTGAU3H4vg4G22gVwmL7iGM+tqdPf+wO6zL57EcKIVVHmu/iayCPy1W9flFYq
hwhT3T4BE5RFSX0NB/nkBu/UErt0XDfsO32FWAdxI/XYYi8RRwC1K+m0zNMNFrms
AMiv5BBbOGyT0ycEAAXOJlx86pRQzt9Y4F0uOM6EgoEHoxRdVoE0rA==
=u6Mo
-----END PGP SIGNATURE-----

--T4sUOijqQbZv57TR--