multiple subkeys and key transition
ben at adversary.org
Thu Dec 9 19:30:17 CET 2010
On 10/12/10 5:01 AM, Daniel Kahn Gillmor wrote:
> On 12/09/2010 09:08 AM, Robert J. Hansen wrote:
>> On 12/9/2010 1:14 AM, Ben McGinnes wrote:
>>> I am giving very serious thought to creating new keys and
>>> doing a (long-term) transition to them. This is partly to respond to
>>> known flaws with SHA-1 and take advantage of SHA-256 and higher.
>> My best counsel is: don't, at least not yet.
> Sorry, but i have to disagree with Robert on this (yes, i'm the
> author of the blog post you linked to earlier). If you want to
> switch to stronger algorithms, now is a reasonable time to do it.
Ah, a debate, excellent. Now let's make it a little more
entertaining, where do you see RIPEMD-160 in the scheme of things?
I ask because that seems to be the only update my current DSA/Elgamal
key can accept (via setpref).
>> First, there are no imminent practical attacks on SHA-1.
> That we know of, anyway. Nonetheless, its use for digital
> signatures has been strongly deprecated by groups like NIST. See
>  for links to NIST recommendations.
Thanks, more reading material is a welcome addition.
>> Second, the OpenPGP Working Group ("the WG") is currently figuring
>> out how to get SHA-1 out of the OpenPGP spec and how to replace it
>> with something better.
> This discussion currently seems to be idle, so i would not wait on
> it. We need to get the discussion going again, certainly.
Is it possible that this current transition push is partially aimed at
reigniting the WG's discussion by creating a new de-facto standard?
In much the same way that PGP 5.x became the foundation for OpenPGP
(RFC 2440 and then 4880).
>> If you do a transition now, it's possible you'll want to transition
>> again in six months or a year once the WG updates the RFC.
> This statement seems to assume that the RFC can't or won't be
> updated in a way that people could make the transition using the
> same key material, assuming they were using strong enough keys and
> digests in the first place.
What is the likelihood of that actually being the case?
> My own personal bottom line: i've been using digests from the SHA-2
> family for well over a year now (and larger RSA keys for twice that
> time) and have had no interoperability problems.
Good to know. Should I make the transition now/soon, my current plan
is either of these two options:
1) 4,096-bit RSA signing key with a 4,096-bit Elgamal encryption key.
2) 4,096-bit RSA signing key with a 4,096-bit RSA encryption key and a
4,096-bit Elgamal encryption key.
Since I prefer a more long-term approach, this should eventually lead
to 8,192-bit encryption keys when 4,096-bit becomes the default.
That's probably a fair way down the track, though, very likely several
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users