multiple subkeys and key transition

Ben McGinnes ben at
Fri Dec 10 00:49:28 CET 2010

On 10/12/10 9:51 AM, John Clizbe wrote:
> If one is still using keys of the old signing default of DSA/1024, a
> 160-bit hash is the only choice available. That's dictated by the
> standard.

That's what I've got.

> But there's no pressing need to generate a new key -- one
> can just switch to using RIPEMD-160 instead of SHA-1. The fire alarm
> for SHA-1 has gone off and it's time to move safely and calmly to
> the exits.  It's not worth panicking over, but folks should have a
> transition plan in place.

Which is what I'm trying to formulate.

> Or one can use enable-dsa2 in GnuPG and use any of the SHA2 hashes,
> they'll just be truncated down to 160 bits similarly to the
> SHA-224/SHA-256 arrangement described below.

Just to clarify, does this mean that SHA-256 or 512 (or whatever)
truncated to 160-bits prevent the potential collision attacks that
might be able to be launched against SHA-1?

> One of the very important, but least notied changes in RFC 4880 was
> that the WG made it much easier to amend the RFC without rewriting
> the entire document. This is how Camellia was included into OpenPGP
> and how ECC will most likely be included.

Ah, cool.

> Expect to see some movement once the new NIST hash competition is
> complete.

So around the end of 2012, assuming they stick to the schedule.

> I just created new keys after almost 8 years, my old key was
> 1024D/2048ElG. The new keys are 2048-DSA2/2048-RSA and a 3x2048-RSA
> OpenPGP card.
> 3072 just felt like overkill for me.

To quote Howard Tayler's _Schlock Mercenary_, "there's no such thing
as overkill, only 'Open fire!' and 'I need to reload!'"  :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101210/e5bc56c8/attachment.pgp>

More information about the Gnupg-users mailing list