Questions about generating keys

Robert J. Hansen rjh at sixdemonbag.org
Wed Aug 22 15:04:17 CEST 2007


Oskar L. wrote:
> Are there any any drawbacks in not having an e-mail address in the 
> public key?

Not especially.

> Are there any widely used applications that will expect one, and not 
> work if none is found?

Not to my knowledge.

> Why is there no way to generate a RSA keypair in one step, like when you
> create a DSA/Elgamal keypair? Why do I first have to create a signing key,
> and then in a separate step create an encryption key? This is annoying.

1. Because the developers don't feel it's necessary, and nobody's yet
   submitted a patch.

2. Why do you need an RSA keypair?  The overwhelming majority of users
   are best served by sticking with the defaults--which, in this case,
   means a DSA/Elgamal keypair.

> "Name must be at least 5 characters long"
> Why? There are probably many people who like to go only by their first
> name, and have a 3 or 4 character name.'

1. Because the developers don't feel it's necessary, and nobody's yet
   submitted a patch.

2. RFC2440 is officially neutral about the content of a user ID packet,
   except that by convention it's an RFC822-style address.  Speaking for
   myself, I'm glad GnuPG enforces a minimum; it reduces the likelihood
   that some poorly-conformant implementation will have a psychotic
   break from reality when it sees a user ID packet with length 0.

   GnuPG's limit is, as near as I can tell, completely arbitrary.  That
   doesn't make it a bad choice.  If the spec gives no guidance (at
   least, none I can see in section 5.11), then any decision whatsoever
   is arbitrary.  Allow zero-length?  Arbitrary.  Allow only names of 17
   characters?  Arbitrary.  Require at least five-letter names?
   Arbitrary.

   The ultimate metric is not whether the choice is perfect; it's
   whether the choice makes sense for the great majority of users.

> Is there any way to manually set the time that will be used for the
> creation time? Or do I have to change the system time if I don't want to
> use the current time? I'm a bit of a perfectionist, and think 00:00:00
> looks much better than something like 01:42:57.

There is not, and I recommend against changing your system time just to
get a 'perfect' key.

A key is a mathematical device which allows us to utilize trust
relationships over a widely dispersed network.  A perfect key is one
which best contributes to the confidence and trust of the network.

If I see that you've got a key date of 00:00:00, my first thought is
going to be that you've played hob with your system time and carefully
doctored your key.  That is not going to cause me to have trust in you
or your key.

Doctoring a key in this way is probably ultimately against your own
interests.




More information about the Gnupg-users mailing list