OpenPGP card: What RSA problems? Why not for key signing?

Felix E. Klee felix.klee at
Wed Apr 5 18:22:35 CEST 2006

I consider creating a new master key: My old one wasn't stored securely
in the past and it has been rarely used.  This new key I want to
generate on a system with a temporary fresh LINUX install and upload it
to two Smartcards (one is for backup).  Now, the only thing that's
preventing me from doing this are the following paragraphs that I found
in The GnuPG Smartcard HOWTO ("How to use the Fellowship Smartcard"):

  The card does not support DSA keys. Even if you are using a RSA key
  you might encounter problems. The cards available at the moment only
  support 1024 bit keys.

  The suggestion is to use the key on the card only for signing and
  decrypting but NOT for key signing.

This calls for some questions:

* What are those problems that one may encounter with RSA?

* Why should the key on the card not be used for key signing?

* Is there any advantage in using a DSA master key (not supported by the
  OpenPGP card, I know) instead of an RSA master key?

* What's the best tool for generating the 1024 bit RSA key?  Should I
  simply use plain "gpg --gen-key --no-random-seed-file" or should the
  key be generated on card, or does it not really matter?

PS: Of course, I will use a subkey with limited lifetime for everyday
use, and I'll store this key on a third card.

Felix E. Klee

More information about the Gnupg-users mailing list