Questions about generating keys

[Robert J. Hansen]

Oskar L. wrote:
> - They don't have a 1024 bit limit, like DSA has. I know "DSA2" can
> have larger keys, but last I heard PGP can't use them.

The latest versions of PGP support them.

> - RSA is faster.

If you are repeatedly encrypting and/or decrypting enormous files, then
yes, this is potentially an issue.  Otherwise, there is no practical
difference in speed you will notice.

> I can't understand why RSA isn't the default.

The OpenPGP specification came out in the late nineties.  RSA did not
enter the public domain until August of 2000.  The IETF refused--rightly
so--to make a patented algorithm the default OpenPGP algorithm.

> The only argument defending DSA I've heard is that DSA creates
> smaller signatures. Is this really so important to people that they
> are willing to give up all the benefits of RSA for it?

This implicitly casts RSA as being somehow universally superior.  It's
not.  Nor is it inferior.  In a couple of very narrow fields, RSA is
superior.  In others, DSA is probably superior.  In yet others, Rabin
signatures are probably best.  (Me, I've wondered for years why OpenPGP
doesn't support Rabin; it's a beautifully elegant algorithm.  And then I
kick myself and say "duh, to keep the number of algorithms down, just
like with Lamport signatures and WHIRLPOOL!", and go on with my business.)

> Why was the sixth option removed?

Because it's a deprecated key style.  There's nothing inherently wrong
with it, but most authorities today recommend using separate signing and
encryption keys.

> By the way, is there a security or performance difference between a 
> RSA (sign and encrypt) keypair with no subkeys, and a RSA (sign only)
>  keypair with a RSA (encrypt only) subkey?

Only when it comes to recovering from a security-related incident.  If
the cops come by and force you to give the private part of a key used to
encrypt a message, fine, you can do so without yielding your signing key.