some(!) PGP / GPG compatibility question

Leigh S. Jones kr6x@kr6x.com
Tue May 21 08:17:02 2002 

If you'll e-mail me your PGP public key I'll see if I can get
a notion about the problem.  It might be more practical to
use a DH/DSS key if you want fewer compatibility issues.
And, IDEA is not automatically included in the gpg releases
although it can be added -- AES might be a more
compatible choice.

Don't get the idea that DH/DSS is less secure than RSA.
A 2048/1024 bit DH/DSS keypair will keep you safe.
Or use a 4096/1024 bit DH/DSS keypair.  The 1024
bit key is used for signing only, while the 2048 or 4096
bit part is the assymmetric encryption key.

If someone wants to invade your privacy they will
probably prefer to sneak into your home and put a
program on your computer that traps your password
when you enter it.  The pricetag for a broken DH/DSS
keypair is many millions of dollars worth of computer time
while a quiet burglary costs perhaps a few hundred dollars.
Otherwise, most of the serious attacks that succeed will
succeed by the theft of your secret keyring and the
methodical computer aided guessing of your password.
And, if you go to the RSA web site you'll learn that they
are busy defending against allegations that the opposite
is true, that specially built hardware could attack RSA
keys.

Use HTTP://wwwkeys.us.pgp.net.  Revoke old keys
when you stop using them, and make sure that you
revoke them on the servers.  Never delete old keys;
always revoke, and save your old keys.

The encrypt to self option allows you to encrypt data
for only you to decrypt.  This probably accounts for
more than half of the use of PGP/gpg for encryption.

Too many questions.  I'll let someone else answer
them, and probably disagree with me on the answers
I've given...

----- Original Message -----
From: "Aditya" <adityald2@gmx.net>
To: <gnupg-users@gnupg.org>
Sent: Monday, May 20, 2002 7:41 PM
Subject: some(!) PGP / GPG compatibility question


> hi all,
>
> I created a new pgp 7.1 key with the following parameters
>
> (
>   key type    : RSA [*NOT* legacy],
> key size     : 4096,
> key chipper: AES
> )
>
> now when I import this key in GPG in Linux or Solaris I cannot see
my name
> or any other key details and mutt on linux shows a ? besides my id
in the
> key...
>
> I think this means the new PGP / GPG keys are not compatible
>
> So my questions are
>
> 1. what are the safe parameters for a key to be compatible with PGP
and GPG
> ?
>
> I have come with the following parameters
>
> (
>    key type     : DH/DSS
>    key size      : 4096/1024
>    key chipper : IDEA
> )
>
> I would like to use the same key for GPG on linux and PGP for
windows and the key should be compatiable with most of pgp / gpg
implementations
>
>
> 2. I read in bugtrap mailing list key size smaller that 1024 can be
cracked by NSA, FBI and likes so is the above key safe from this type
of attack ?
>
> 3. my private key has a sub key that is 786 bytes in length. Will
this key allow all the data encrypted with my other key to be cracked
( other keys are 4096 and 2048 bits long ) ?
>
> 4. I seached google and saw some rumblings on the web about the
DH/DSS algo being less secure than RSA. Would this matter in the
generation of new key ( ie I should not generate a DH/DSS type of
key ) ?
>
> 5. which key servers are the most reliable for use with pgp / gpg ?
( the original keyservers in PGP seem to be unstable )
>
> 6. if I generate a new key what is the best way to let the people
that I have generated a new key and that they should stop using the
old key ( of course I will revoke it if required ) ? should I sign my
new key with the old key for this and put the key on a public
keyserver or should I not revoke the old key but instead change the
name in the old key to reflect the new keys ID and fingerprint and
urging them to use the new key ?
> (ie change the name in old key to something like
> please use new key KeyID: 0xXXXXXXXX, Fingerprint : XXXX XXXX XXXX
XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
> whe
> re the
>
>
> XXXX  are the values of the new key generated )
>
> 7. I am using pgp 7.1 which has the ability to use X.509 Certs.
Until now I
> used a X.509 cert and PGP Key for secure email and VPN and
Encrypting file
> system in Win2k. is there a way to consolidate both of them to one
key /
> cert that can be used in secure email, VPN and encrypting file
system and
> still have the multiple names the way new RSA or DH/DSS keys have ?
( any
> ideas that u may have will be helpful, we use our own X.509 root
Cert for
> internal certs )
>
> 8. is the encrypt to self option in PGP / GPG a security hole or a
feature ?
> can it used to do anything malicious ?
>
> 9. I have ikey 1000 token. If I wish to put the public/private key
on this
> token what is the way to tell pgp 7.1 to use this token ?
>
> 10. I wish to have a ADK in my key so that if I ever forget my
password I
> can use the other key to decrypt the email / files how does one put
a ADK in
> the newly generated key ?
>
> 11. is there any good GPG front end for linux ( x windows, Windows
9x,
> 2000 ) like PGP for
> windows for doing the key management ( GPL, BSD any lic will do only
that it
> should be free for personal use )
>
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users