Elgamal signatures (was Re: splitting keys)

David Shaw dshaw@jabberwocky.com
Fri Feb 21 13:56:02 2003


On Fri, Feb 21, 2003 at 09:57:04AM -0000, David Picon Alvarez wrote:

> > Is that still your insanely big key? I dare not verify your signatures,
> > because gpg is sooooo slooooooowwww. Really defeats the purpose of
> > digital signatures...
> 
> Hmm. It's not insanely big, it's 4096, but I guess you say it because of the
> ElGamal sign and encrypt thing. I don't know, I don't want trouble with
> subkeys, and especially I don't want DSA because of the 1024 bit limit.
> Maybe I'm being too stubborn about this and I should go to RSA 4096/4096.
> However, saying it defeats the purpose of digital signatures is quite an
> overstatement, IMO.

I guess it depends on why you are signing.  If the intent is to get
other people to check the signatures on your messages to verify they
did indeed come from you, then it does sort of defeat the purpose of
signing if checking the signature is so unpleasant that nobody does
it.

There are many reasons not to use Elgamal signatures.  Only GnuPG
supports them, so you can't communicate with any other OpenPGP
program.  They are also incredibly slow, which means people have to
sit for 10-20 seconds every time they need to check one of your
messages.  If they have their mail reader configured to automatically
verify signatures, then they can be reading happily along, hit one of
your messages, and they're locked up for a while.

Seriously, if you don't like the 1024-bit DSA limit, use RSA.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson