[Q] DSA 1024-bit limit.

Denis McCauley DenisMcCauley@ifrance.com
Sat May 17 07:53:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 14 May 2003 19:00:11 +0200
Werner Koch <wk@gnupg.org> wrote:

> On Tue, 13 May 2003 11:53:42 -1000, Denis McCauley said:
> 
> > IMO, the real worry with the 1024-bit limit on regular DSA keys is that
> > they are the primary keys on which you collect the signatures that
> > construct your web of trust. If you have to revoke them because they are
> 
> Please consider all facts relevant to the security of your key.  The
> length of the key is not that important as long as it has a sound size
> (i.e. > 768 bits).  Speculating about when it can be broken and not
> considering facts with a much higher chance of a key compromise is
> shortsighted.
> 
Agreed, key size is only one factor to be taken into account, and not
the most urgent, but from my reading I see that I'm not alone in
considering the 1024-bit limit as a possible weak point in a
not-so-distant future.

> If you can truly indentify the length of the key as a worrisome fact,
> you may want to give up the nice short DSA signature for large RSA
> signature blobs.  If you evaluate that, take your attach scenario in
> account: A key used as a top level CA may need other properties as one
> used everyday on your machine with millions - of easy to subvert -
> code lines.
> 
My comment which you cite in introduction was made in the context of a
key with multiple subkeys (RSA 4096 with DSA/ElGamal subkeys). This
solution seems to me to have many advantages, apart from that of using a
stronger primary key for collecting signatures and signing keys.

My secret keyring is encrypted with a 256-bit algo and hash, which needs
a password of 40 random characters to be fully effective. If I split the
top-level CA and everyday functions on to two different keys, I would
need two such passwords -- one I can handle, but two?? 

Following the procedure for stripping secret keys outlined by  Adrian
von Bidder (http://fortytwo.ch/gpg/subkey), I can have only one secret
key stored on my machine: that of the signing subkey I use daily, which
has a different password (20 random characters) than that of the
primary key.

The secret key for the primary key and the encryption subkey can be kept
in safe deposit, and when they are  used, it's with a Linux system that
boots off a CD and runs in RAM, and not necessarily on my own machine.

As far as I can see this leaves only the problems of physical access to
my machine and radiation snooping as areas of concern. But maybe I've
still overlooked something so any comments are welcome.

Cheers,
- - --
=====================================
Denis McCauley
GPG/PGP keys at http://www.djmccauley.tk
=====================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70
Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7)
Comment: 3C0A D97D 5FC5 A250 20BC EBC6 EB0E 9716 5782 47B4

iD8DBQE+xc4dJpZGKkmAxPcRAmMpAKCQQcKyTR/fJYnZu9TGin9H2gNCSACdF98f
pdd0wZ4p5wj52d7vcPmphEw=
=d3Mp
-----END PGP SIGNATURE-----