subkey types and preferences...

David Shaw dshaw at
Tue Jul 6 19:02:06 CEST 2004

On Wed, Jun 30, 2004 at 11:04:37PM -0400, Douglas F. Calvert wrote:
> Hello,
>  Is there any consensus about which signing subkey type is better, RSA
> or DSA? And or for that matter El Gamal vs. RSA for encryption? What are
> the merits/drawbacks of the different key types?

For signing, DSA signs faster and RSA verifies a signature a lot
faster.  This is likely to be a non-issue in the real world.

If you like big keys, you'll probably prefer RSA which can have keys
larger than the DSA 1024-bit limit.  RSA can also use hashes of any
size, while DSA is limited to 160 bits.

DSA makes signatures that are small and non-annoying when attached to
a email message.  Big RSA keys make big, potentially annoying
signatures.  For me, that's a pretty good reason to use DSA if the
intent is to sign email.

For encryption, RSA is a lot faster to encrypt, but a little slower to
decrypt.  Again, this is a non-issue in the real world.

It's important to understand that while there are a collection of
minor points that make people like one pk algorithm over the other, in
the real world, it doesn't really matter that much.  Both algorithms
are vastly stronger than most people need.  Consider your attacker: if
your adversary can only climb 10 feet, having a 10,000 foot wall
around your house is just as good as a 10,005 foot wall.

>  The next questions are about the preferences for keys:
> pub  1024D/C9541FB2  created: 2002-02-27 expires: never      trust: u/u
> sub  4096g/0CA2DB2F  created: 2002-02-27 expires: never
> (1). Douglas F. Calvert <dfc at>
> (2)  [jpeg image of size 4350]
> Command> showpref
> pub  1024D/C9541FB2  created: 2002-02-27 expires: never      trust: u/u
> (1). Douglas F. Calvert <dfc at>
>      Digest: RIPEMD160, SHA1
>      Compression: ZLIB, ZIP, Uncompressed
> (2)  [jpeg image of size 4350]
>      Cipher: AES, CAST5, 3DES
>      Digest: SHA1, RIPEMD160
>      Compression: ZLIB, ZIP, Uncompressed
>      Features: MDC
> Why does my image uid have different preferences than my first UID? I
> imagine that it is because the uid was added with a newer version of
> gnupg.


> Should I update the preferences of ID 1 to match those of UID2?

Strictly if you want to.  Since there is no current way to encrypt to
a photo (that is, you can't say "gpg -r <photo> --encrypt"),
preferences on a photo are currently a no-op.

> And while we are on the subject of preferences are there any other
> preferences that I should update? I generated a test key with 1.2.4
> and the default preferences are:
> (1). default default <defaiult at>
>      Cipher: AES256, AES192, AES, CAST5, 3DES
>      Digest: SHA1, RIPEMD160
>      Compression: ZLIB, ZIP, Uncompressed
>      Features: MDC
> I generated a new key with 1.3.6 and the preferences are the same except
> for the addition of the keyserver no-modify setting. 

Not exactly.  1.2.x and 1.3.x both set keyserver no-modify.  1.3.x
just shows you that it was set.

> I am most concerned about security and the overwhelming majority of my
> communications are with people who use gnupg. With that in mind should I
> go with the default updpref or is there a set of preferences that would
> match my tin-foil hat better?

Generally speaking, the default set given via 'updpref' is the best
one for reasons of strength and compatibility.  People frequently
argue whether (for example) Twofish (256) is stronger than AES (256).
This is akin to the 10-foot wall example earlier.

If you want to advertise the ability to handle any cipher algorithm,
then it's fine to edit the list to put in whatever you like.

Hash algorithm preferences work the same way: if you want to encourage
people to use a particular hash when signing and encrypting to you,
then feel free to override the default (SHA-1).

Compression algorithms are purely your preference.


More information about the Gnupg-users mailing list