Questions about generating keys
snoken at tunedal.nu
Thu Aug 23 13:44:12 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
At 04:11 2007-08-23, Oskar L. wrote:
>Robert J. Hansen wrote (regarding "DSA2" keys):
>> The latest versions of PGP support them.
>That's good news. Can it also create them? But there are probably still
>many using older versions. I know some who refuse to update from 6.5.8.
Some people stick to PGP 8.1, a version fairly compliant with GPG. See below.
>David Shaw wrote:
>> Now that DSA2 is here, there aren't really that many benefits to RSA
>> (and I say this as someone with an RSA key). In theory, DSA is better
>> because it is required by OpenPGP: you won't be able to find any
>> OpenPGP implementation that doesn't handle it. This is not true of
>> RSA (it's legal for a program to reject it just because it is RSA).
>> In practice, that doesn't happen much because the "big two", PGP and
>> GPG, both handle RSA.
- -- snip --
>So would it be fair to sum up the differences like this:
>- for signing DSA is faster, for verification RSA is faster,
> but there's not much of a difference.
>- OpenPGP implementations must support DSA, but supporting RSA
> is optional, but both gpg and PGP support RSA, so there's
> not much of a differance.
>- original DSA limited to 1024 bit keys and 160 bit hashes.
>- DSA signatures are smaller.
>- updated DSA, aka "DSA2", equal to RSA when it comes to the
> lenghts of keys and hashes.
>- Of PGP, only the newest version support DSA2 keys.
>- RSA has a hash firewall
>If there are no other significant differences that I have missed, since I
>want a key larger that 1024 bits, it must be a DSA2 or RSA key. RSA gets a
>minus for not being required by OpenPGP, but only a small one since it is
>supported anyway. DSA2 gets minus points both for lack of support in older
>versions of PGP, and for lack of a hash firewall. RSA still seems better
>to me, but not by as much as I previously thought.
- --snip --
PGP 8.1 verifies SHA-256 hashes made by large RSA-keys, but NOT any
signatures made by DSA2-keys. "Signing algorithm not supported".
To create DSA2-keys with GPG you have to use the option "enable-dsa2".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959
-----END PGP SIGNATURE-----
More information about the Gnupg-users