[Fwd: Re: [Q] DSA 1024-bit limit.]
Dennis Lambe Jr.
malsyned@cif.rochester.edu
Wed May 14 04:14:01 2003
--=-VWm5mXQGV89HoRJAqR3Y
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
I responded to Daniel's questions and forgot to reply-to-all. woops!=20
Here's that email.
-----Forwarded Message-----
> From: Dennis Lambe Jr. <malsyned@cif.rochester.edu>
> To: Daniel Carrera <dcarrera@math.umd.edu>
> Subject: Re: [Q] DSA 1024-bit limit.
> Date: 13 May 2003 20:12:25 -0400
>=20
> On Tue, 2003-05-13 at 18:29, Daniel Carrera wrote:
> > > You can have more than one key pair on your keyring. To create a key
> > > like that of David Shaw (or mine) you create a new key choosing the
> > > option (5) RSA (sign only). Then you add the other (sub) keys:
> >=20
> > Thanks. Now I have a 2048-bit RSA key as well.
> >=20
> > Where can I learn more about how subkeys work? I just tried to do=20
> > something and I goofed. These are my current keys:
> >=20
> > Command> list daniel
> > pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2005-05-09 trust: u/u
> > sub 2048g/0D1C25EC created: 2003-05-10 expires: 2005-05-09
> > sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12
> > (1). Daniel Carrera (PhD Student, Math) <dcarrera@math.umd.edu>
> >=20
> > I tried to change the expire date of the ElGamal key to 2006, but inste=
ad=20
> > it changed that of the DSA key:
> >=20
> > Command> expire 0D1C25EC
> > [snip] =20
> > pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2006-05-12 trust: u/u
> > sub 2048g/0D1C25EC created: 2003-05-10 expires: 2005-05-09
> > sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12
> >=20
> >=20
> > What just happened there?
>=20
> (read this carefully, the information you need doesn't make an
> appearance until the second paragraph.)
>=20
> On the command line, GnuPG treats the KeyIDs of all subkeys as synonyms
> for the primary signing key (for better or for worse). You can tell
> GnuPG that you really do mean what you say by postfixing the KeyID with
> an exclamation point (which requires escaping on the command line) like
> so: E3CA8FAE!
>=20
> However! This is /not/ the behavior in the edit-key menu. According to
> the FM:=20
> expire Change the key expiration time. If a subkey is selected, the
> expiration time of this subkey will be changed. With no selection, the
> key expiration of the primary key is changed.
>=20
> This means that the "expire" command at the edit-keys prompt takes no
> arguments (silently ignoring them), and acts on the selected key. To
> select a subkey, use the "key" command, which takes one numeric index.=20
> If you wanted to set the expiration of the ElGamal subkey, the proper
> command sequence would be:
> key 1
> expire
>=20
> >=20
> > > You can have either DSA (sign) and ElGamal (encrypt), or stay with RS=
A,
> > > which will allow you to have a bigger signing subkey (2048 bits for
> > > example).
> >=20
> > Great. How do I do that? I don't mean to ask too many RTFM questions. =
I=20
> > am reading the FM, but I don't always find the information I want there=
.
> > For instance, the man page tells me how to sign keys, but not how to us=
e=20
> > an alternate key for signing.
>=20
> When generating a key, you are given the choices:
> (1) DSA and ElGamal (default)
> (2) DSA (sign only)
> (5) RSA (sign only)
>=20
> Selecting 5 will generate an RSA sign-only key, onto which you can later
> add a DSA signing subkey, an ElGamel encryption subkey, or whatever else
> you'd like. If you use the --expert flag with --gen-key, you get two
> more options, which for one reason or another aren't recommended to
> average users:
> (4) ElGamal (sign and encrypt)
> (7) RSA (sign and encrypt)
>=20
> I believe (but check me on it) that (7) will allow you to create an old
> sign-and-encrypt RSA key a-la pre-OpenPGP versions of PGP.
>=20
> One option that the previous responder didn't take into account, but
> which David Shaw recommends and which makes sense to me and the
> paranoid, standards-conscious folks with which I consort is:
>=20
> Strong (2048 or above) RSA Primary signing key
> for collecting signatures and being long-term reliable
> for signing other keys
> Standard (1024) DSA signing subkey
> for (legally?) signing documents and emails
> (signing subkeys are automatically used in favor of primary keys by
> gnupg for this)
> Strong (2048 or above) ElGamal encryption subkey
>=20
> The proper sequence of --gen-key and --edit-key/addkey commands is left
> as an excercise to the reader, unless the reader objects in a future
> post ;-)
>=20
> By the way, do any of the experts know if it's possible, and how it's
> possible, to sign someone else's ID with a DSA subkey? I know it's not
> possible to self-sign IDs with it for security purposes, but what about
> signing other people's?
>=20
> --Dennis Lambe
--=-VWm5mXQGV89HoRJAqR3Y
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html
iD8DBQA+waax+yh/ThbejSgRAnuaAKCGAUmZhAEdw1fQi6OVIthZnXrVPwCdGDy6
WS0vPqo2rcuh6Wyhfz6dAx4=
=sqzq
-----END PGP SIGNATURE-----
--=-VWm5mXQGV89HoRJAqR3Y--