multiple subkeys and key transition

Ben McGinnes ben at
Thu Dec 9 18:54:44 CET 2010

On 10/12/10 4:25 AM, Grant Olson wrote:
> Right.  If the hash algo is your only concern, you can just change
> that.  No need to regenerate a key, unless you're just using that as
> an motivator to bump up your key-size and/or create an offline
> primary key.

I've already switched the hash preference on the key, it will now use
RIPEMD-160 before SHA-1, but it won't accept the higher SHA
algorithms.  Currently it only switches back to SHA-1 when I'm signing
and encrypting to other keys which can't handle RIPEMD-160.

> Regarding RSA vs DSA/ElGamal, without having done any research at
> all, I'm assuming the defaults in GPG changed from DSA/ElGamal to
> RSA/RSA for a reason, so I went with the latter.

Since it has already been mentioned that smartcards only work with
RSA, that could be a factor.  I suspect their development, which I
haven't followed too closely, was to address the concerns of OpenPGP
users who were unable to control the hardware on which their mail
and/or keys were stored and required an additional level of physical
security to prevent an unscrupulous systems administrator from
accessing a secret keyring (and possibly brute forcing the

> And apologies, because I know you said you have no intention of
> using a smartcard (twice), but if you're creating a key for the next
> ten years then it's possible you'll change your mind say five years
> from now.

It's possible, at this stage unlikely, but I won't rule anything out.
I'm already used to having a single key operational for a long time.
The key I'm currently using was generated nearly a dozen years ago.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101210/74b2455e/attachment.pgp>

More information about the Gnupg-users mailing list