Best Practices

David Tomaschik david at
Sat Dec 11 03:16:56 CET 2010

I appreciate everyone's feedback on this matter.  Comments/questions

On Fri, Dec 10, 2010 at 9:41 AM, Robert J. Hansen <rjh at>wrote:

> On 12/9/2010 11:08 PM, David Tomaschik wrote:
> > I feel bad for the "litter" this introduces to the keyservers.
> Don't.  :)  The keyservers don't have a problem with this litter.  I
> wish people showed more care with their certificates, but that's because
> I get too many "I forgot my passphrase, help!" emails, not because I
> think the keyserver network is getting clogged.
Only my oldest key (ca. 2000) is still in the wild, with a lost private
key.  Many lessons were learned from that.

> > I currently have a 4096-bit RSA sign/encrypt keypair with no subkeys.  I
> > believe, but am not certain, that it was generated with SHA1 hashes.
> > (Is there a way I can check?)  This keypair was generated in May of this
> > year.
> Well, you have one subkey, it's just that the subkey is capable of both
> signing and encryption.  You don't have separate subkeys for separate
> tasks, if I understand you correctly.  Some people think this is a bad
> idea, since if you're compelled to produce an encryption key to the
> authorities (so they can decrypt an email sent to you) you've also
> provided them with your signature key (so they can now impersonate you).
Are there any disadvantages to distinct signature & encryption keys?  Seems
like there's benefit with little cost (other than a bigger keyring).  I'm
currently considering generating an offline-only master key and using that
to sign other keys.  Some of the other threads in the archives seemed to
recommend this.

> > What is the best way to transition my email address?  Add a new UID and
> > revoke the old?  Should a new keypair be generated?  What is the
> > conventional wisdom on the strength of RSA-4096?
> Add a new UID and revoke the old.  You don't need to generate a new
> certificate.  RSA-4K is, IMO, phenomenal overkill for the vast majority
> of users.  Breaking RSA-2K is believed comparable in difficulty to
> breaking 3DES, and that prospect is ... let's just say "implausible."
> RSA-3K is roughly comparable to breaking AES-128.  RSA-4K is not very
> much harder than that.  Given all this, I really don't see any point in
> going past RSA-2K.  Adding another 2,000 bits to the key in order to get
> about another 20 bits of symmetric-key equivalent just strikes me as bad
> art.
> > If a new keypair is generated, what length would be sufficient for a
> > decent (10+ year, preferrably 20+) margin of safety?  I know that there
> > may be unforeseen advances in computing that allow for keys to be broken
> > rapidly (Quantum computing, new sieve algorithms, etc.), but there's
> > surely some guidance based on the current generation of things.
> There is not.  In twenty years we will see commonplace attacks that
> today are just speculative science fiction.  It's incredibly hard to
> make good long-term predictions about crypto.
> It is possible that in twenty years national governments will have
> large-scale quantum processors.  Once that happens, RSA, DSA and ElGamal
> all die horrible screaming deaths.
> As an example: almost twenty years ago Schneier wrote in _Applied
> Cryptography_ of the Chinese Lottery Attack.  It involved putting a
> small processor in every Chinese television set, which could be
> programmed by broadcasts from Party headquarters.  Each processor would
> crunch a small part of the keyspace, and as soon as a hit was achieved
> the television would tell the viewer, "You have won!  Call Party
> headquarters with this authorization number: [insert key here]."
> Twenty years ago the Chinese Lottery Attack was an interesting thought
> experiment, but nobody took it seriously.
> Today we have RC5-64,, seti at home, botnets, Amazon EC2
> and all manner of other massively distributed computing frameworks.  The
> question today isn't whether a Chinese Lottery Attack is possible: the
> question is how much it will cost you to rent your server time.
> The future is a scary place.  But fun, too, and I look forward to
> getting there.  :)
> > In a new keypair, is it safe to use SHA512 for hashes?
> Sure, but you don't need to create a new cert to use new hash algorithms.
> Is the weakness in the hash used to sign the key internally, or just when
it is used to sign data?  I guess that's the part that eludes me.

I've been looking at the thread earlier this month regarding smartcards.
Are the options from kernel concepts basically the full range of
GPG-compatible smart cards, or are there other products I haven't seen?
Obviously I'd need a new keypair if I switched to that, as they only go up
to RSA3k.

Thanks again,
David Tomaschik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101210/ce72f478/attachment-0001.htm>

More information about the Gnupg-users mailing list