multiple subkeys and key transition

Ben McGinnes ben at
Thu Dec 9 19:30:17 CET 2010

On 10/12/10 5:01 AM, Daniel Kahn Gillmor wrote:
> On 12/09/2010 09:08 AM, Robert J. Hansen wrote:
>> On 12/9/2010 1:14 AM, Ben McGinnes wrote:
>>>  I am giving very serious thought to creating new keys and
>>> doing a (long-term) transition to them.  This is partly to respond to
>>> known flaws with SHA-1 and take advantage of SHA-256 and higher.
>> My best counsel is: don't, at least not yet.
> Sorry, but i have to disagree with Robert on this (yes, i'm the
> author of the blog post you linked to earlier).  If you want to
> switch to stronger algorithms, now is a reasonable time to do it.

Ah, a debate, excellent.  Now let's make it a little more
entertaining, where do you see RIPEMD-160 in the scheme of things?

I ask because that seems to be the only update my current DSA/Elgamal
key can accept (via setpref).

>> First, there are no imminent practical attacks on SHA-1.
> That we know of, anyway.  Nonetheless, its use for digital
> signatures has been strongly deprecated by groups like NIST.  See
> [0] for links to NIST recommendations.

Thanks, more reading material is a welcome addition.

>> Second, the OpenPGP Working Group ("the WG") is currently figuring
>> out how to get SHA-1 out of the OpenPGP spec and how to replace it
>> with something better.
> This discussion currently seems to be idle, so i would not wait on
> it.  We need to get the discussion going again, certainly.

Is it possible that this current transition push is partially aimed at
reigniting the WG's discussion by creating a new de-facto standard?
In much the same way that PGP 5.x became the foundation for OpenPGP
(RFC 2440 and then 4880).

>> If you do a transition now, it's possible you'll want to transition
>> again in six months or a year once the WG updates the RFC.
> This statement seems to assume that the RFC can't or won't be
> updated in a way that people could make the transition using the
> same key material, assuming they were using strong enough keys and
> digests in the first place.

What is the likelihood of that actually being the case?

> My own personal bottom line: i've been using digests from the SHA-2
> family for well over a year now (and larger RSA keys for twice that
> time) and have had no interoperability problems.

Good to know.  Should I make the transition now/soon, my current plan
is either of these two options:

1) 4,096-bit RSA signing key with a 4,096-bit Elgamal encryption key.

2) 4,096-bit RSA signing key with a 4,096-bit RSA encryption key and a
4,096-bit Elgamal encryption key.

Since I prefer a more long-term approach, this should eventually lead
to 8,192-bit encryption keys when 4,096-bit becomes the default.
That's probably a fair way down the track, though, very likely several
years away.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101210/85994e28/attachment.pgp>

More information about the Gnupg-users mailing list