Multiple encryption subkeys

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Tue Apr 29 21:10:02 2003


--Boundary-02=_b5sr+IDfMxmeyQ+
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 29 April 2003 19:15, Dennis Lambe Jr. wrote:

[multiple subkeys with various strengths]

> 1) Is this a worthwhile endeavor, cryptographically speaking?  That is
> to say, am I justified in wanting to do this, or is there something I've
> overlooked that makes this a bad or useless application of subkeys?

I guess the idea is not bad. However, you'd have to match the strength of t=
he=20
public key encryption to the strength of the underlying block cipher - I=20
don't have data on this, but I when you use a 128bit block cipher with a 20=
48=20
public key, the block cipher is much easier to break, so with going to=20
4096bit public key you don't gain anything.

If you want to do this really seriously, you'll need to read up on the curr=
ent=20
best known attacks on the various block ciphers and the public key algorith=
ms=20
and make sure that you really gain security by using a stronger public key.

> 4) A lot of messages I read from 2002 and earlier this year suggest that
> many keyservers are still having difficulty with multiple subkeys.  Is
> this still the case, or have there been recent positive developments in
> that area?  What's the official gnupg-users party line on the use of
> keyservers with multiple subkeys?  Is it still "use kjsl.com and pray"?

Yes, this still is mostly the case. One or two of the pksd keyservers and t=
he=20
keyservers running sks don't have the subkey problem, and gnupg 1.2.1 has=20
logic to recover as far as possible when it receives a broken key. Problem=
=20
with the pksd keyservers is that Jason Harris still thinks that his patch i=
s=20
not as perfect as it should be and therefore has not released it yet.

cheers
=2D- vbi

=2D-=20
OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481

--Boundary-02=_b5sr+IDfMxmeyQ+
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj6uzltgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj
YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWvDYAoPBxezE5OgM6CuhE5+sImT8P
4EIaAKCLS0ezgAoVWBIKNzG0JNhiNBh3pg==
=6kad
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d

--Boundary-02=_b5sr+IDfMxmeyQ+--