Symmetric cipher selection order, RSA keys
Brian M. Carlson
Fri May 17 18:30:01 2002
Content-Type: text/plain; charset=utf-8
On Mon, May 13, 2002 at 07:29:08AM -0700, David Hollenberg wrote:
> I got GNUPG 1.0.7 and installed it on Solaris and it works great! But I=
> have a few questions:
> 1. Suppose I encrypt a message to two public keys, whose symmetric cipher
> preferences are:
> Key 1: AES, CAST5, 3DES
> Key 2: CAST5, AES, 3DES
> Which cipher will GNUPG pick? Can I influence GNUPG's choice
> (e.g., via a list of ciphers that *I* prefer), other than by
> using the --cipher-algo option? What algorithm for selecting
> symmetric cipher do other versions of PGP use, when there is
> more than one choice?
I don't know. This is a question for Werner or David.
> 2. Can GNUPG generate RSA encryption keys or sign and encrypt keys?
> If not, will it ever do so? The only RSA choice I an find is "RSA
> sign only".
You can generate a RSA sign key and then an encrypt subkey. I think CVS
has support for RSA sign and encrypt with --expert.
> 3. My company needs to be able to receive encrypted files (encrypted to
> our public key) that we will decrypt. There is no requirement for
> signature verification and we don't need to send encrypted files to
> others. I would rather not support PGP 2.6.x. If we do have to
> support it, we could generate an RSA key from PGP 2.6.x, self-sign
> it, import it into GNUPG and publish it as our 2.6.x public key (we
> are licensed to use IDEA). I have confirmed that this works, but
> would this be a violation of the "no commercial use" clause of the 2.6=
> license? The public key would be generated by 2.6.x but only used
> by GNUPG.
If you want to create a 2.6.x compatible key, you can use 2.62g, which is
under the GPL. This solves your licensing quandry.
> 4. Does anyone have any idea what percentage of people still use 2.6.x
> instead of a (more or less) OpenPGP compliant version of PGP?
> Is this percentage declining?
Key Version # of Keys % of Total Keys
Version 3 138,118 9.7716%
Version 4 1,275,344 90.2284%
You might want to take this with a grain of salt; I use a v3 key, but do
not use PGP 2.6.x.
> 5. I noticed that CERT issues a new public key periodically with a one=20
> year expiration period. If we don't need to sign messages, is
> this a good model to use?
You can do this, or you can create subkeys that expire after a year. Howeve=
if you choose the subkey option, some keyservers may butcher your key.
Brian M. Carlson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Ubi libertas, ibi patria.
-----END PGP SIGNATURE-----