Questions about generating keys

Snoken snoken at
Thu Aug 23 13:44:12 CEST 2007

Hash: SHA1

At 04:11 2007-08-23, Oskar L. wrote:
- --snip--
 >Robert J. Hansen wrote (regarding "DSA2" keys):
 >> The latest versions of PGP support them.
 >That's good news. Can it also create them? But there are probably still
 >many using older versions. I know some who refuse to update from 6.5.8.

Some people stick to PGP 8.1, a version fairly compliant with GPG. See below.

 >David Shaw wrote:
 >> Now that DSA2 is here, there aren't really that many benefits to RSA
 >> (and I say this as someone with an RSA key).  In theory, DSA is better
 >> because it is required by OpenPGP: you won't be able to find any
 >> OpenPGP implementation that doesn't handle it.  This is not true of
 >> RSA (it's legal for a program to reject it just because it is RSA).
 >> In practice, that doesn't happen much because the "big two", PGP and
 >> GPG, both handle RSA.
- -- snip --
 >So would it be fair to sum up the differences like this:
 >- for signing DSA is faster, for verification RSA is faster,
 >  but there's not much of a difference.
 >- OpenPGP implementations must support DSA, but supporting RSA
 >  is optional, but both gpg and PGP support RSA, so there's
 >  not much of a differance.
 >- original DSA limited to 1024 bit keys and 160 bit hashes.
 >- DSA signatures are smaller.
 >- updated DSA, aka "DSA2", equal to RSA when it comes to the
 >  lenghts of keys and hashes.
 >- Of PGP, only the newest version support DSA2 keys.
 >- RSA has a hash firewall
 >If there are no other significant differences that I have missed, since I
 >want a key larger that 1024 bits, it must be a DSA2 or RSA key. RSA gets a
 >minus for not being required by OpenPGP, but only a small one since it is
 >supported anyway. DSA2 gets minus points both for lack of support in older
 >versions of PGP, and for lack of a hash firewall. RSA still seems better
 >to me, but not by as much as I previously thought.
- --snip --

PGP 8.1 verifies SHA-256 hashes made by large RSA-keys, but NOT any
signatures made by DSA2-keys. "Signing algorithm not supported".

To create DSA2-keys with GPG you have to use the option "enable-dsa2".


Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959


More information about the Gnupg-users mailing list