Questions about generating keys

David Shaw dshaw at jabberwocky.com
Thu Aug 23 02:22:07 CEST 2007 

On Wed, Aug 22, 2007 at 08:36:36PM +0300, Oskar L. wrote:
> Robert J. Hansen wrote:
> > 2. Why do you need an RSA keypair?  The overwhelming majority of users
> >    are best served by sticking with the defaults--which, in this case,
> >    means a DSA/Elgamal keypair.
> 
> I prefer RSA keys because
> 
> - DSA does not have a hash firewall.
> 
> - They don't have a 1024 bit limit, like DSA has. I know "DSA2" can have
>   larger keys, but last I heard PGP can't use them.

I'm not sure if that is still true or not, but either way, if PGP
doesn't use them now, it will soon.  The new OpenPGP spec supports
large DSA (so-called "DSA2") keys.

> - The hash used is not limited to 160 bits, like it is with DSA.

Same here.  DSA2 supports larger hashes.

> - RSA is faster.

This is actually not completely true.  DSA makes signatures faster
than RSA.  RSA verifies signatures faster than DSA.  Since most
signatures are verified more often than they are generated, this is
generally stated as RSA being faster, but in OpenPGP usage, this is
almost always irrelevant.  Unless you're issuing thousands of
signatures a second, the time needed to read the files, and do the
hashing is far more significant.

> I can't understand why RSA isn't the default. The only argument defending
> DSA I've heard is that DSA creates smaller signatures. Is this really so
> important to people that they are willing to give up all the benefits of
> RSA for it?

Now that DSA2 is here, there aren't really that many benefits to RSA
(and I say this as someone with an RSA key).  In theory, DSA is better
because it is required by OpenPGP: you won't be able to find any
OpenPGP implementation that doesn't handle it.  This is not true of
RSA (it's legal for a program to reject it just because it is RSA).
In practice, that doesn't happen much because the "big two", PGP and
GPG, both handle RSA.

So DSA is the default because the OpenPGP standard requires it to be
present, and does not require the same of RSA.  The reasons behind
this were mainly legal stuff and not relevant any longer.

> What I find really strange is that
> the archives mention a sixth option, "(6) RSA (sign and encrypt)", but
> version 1.4.6 gives me:
> 
> Please select what kind of key you want:
>    (1) DSA and Elgamal (default)
>    (2) DSA (sign only)
>    (3) DSA (set your own capabilities)
>    (5) RSA (sign only)
>    (7) RSA (set your own capabilities)
> 
> Why was the sixth option removed?

The feature wasn't removed.  Option 7 took its place.  RSA (sign and
encrypt) is the same thing as RSA (set your own capabilities) - just
turn on the sign and encrypt flags.

> By the way, is there a security or performance difference between a
> RSA (sign and encrypt) keypair with no subkeys, and a RSA (sign only)
> keypair with a RSA (encrypt only) subkey?

No performance difference.  There is a minor security difference
between one and two keys in that if your key is compromised, with one
key you've compromised both your signing and encrypting capabilitles.
With two keys, you've only compromised the one.

The usual example of this is the police demanding an encryption key
from you (which they can do in many places around the world).  If you
have a subkey for encryption, you could turn over that subkey without
affecting your primary key (and thus all the signatures you've
gathered and issued).  If you don't have a subkey for encryption, you
can be forced into turning over the one key, which compromises your
signing "key" as well.

> David Shaw wrote:
> > > Is there any way to manually set the time that will be used for the
> > > creation time? Or do I have to change the system time if I don't want to
> > > use the current time? I'm a bit of a perfectionist, and think 00:00:00
> > > looks much better than something like 01:42:57.
> >
> > As it happens, this will probably be possible in an upcoming version,
> > but for other reasons.
> 
> Nice! I'm curious about what these reasons are.

Mainly the use of GPG inside anonymous remailers and similar proxies.
In cases like that you may want to randomize or force the internal
timestamps to hide the original values.

> James wrote:
> > - E-mail clients using PGP won't be able to automatically know
> > which key to use when e-mailing you - they'd have to setup
> > specific mappings.
> 
> That's ok, since they would have the same problem if the address
> in my key differed from the one in their address book. Since
> not specifying an e-mail address doesn't seem to go against the
> OpenPGP specification, I think I won't specify one when I create
> my new key.

There is a whole lot of code in the world that really really expects
an email address in there.  You're free to do what you want, but don't
be surprised when something breaks.

David

More information about the Gnupg-users mailing list