Generating a new key

Doug Barton dougb at
Sun Mar 21 02:09:48 CET 2010

I've been following the discussions about new key types, sizes, etc.
with interest for a while now since my old DSA/El Gamal key (vintage
2003) is a bit long in the tooth, and I've been lusting after bigger
hashes, and better long-term security. Up till now my interest has been
mostly academic since I didn't have the easy access to key signing
events that I once did, but there is one coming up next week at IETF 77
that I will likely be attending, so I thought now is a good time.

Here are my choices for the various options, I'm curious if anyone sees
anything glaringly horrible about them. :)

gnupg version: 2.0.14
The FreeBSD ports for gnupg, libassuan, etc. haven't been updated yet,
and unless there is a truly compelling reason to update them myself, I'd
rather put my time into something else.

Signing key: 2048 RSA
1024 RSA seems right out based on recent events, however I can't see any
reasoning for a larger signing key, and I've read all the discussion on
why this is the default and don't see anything wrong with it (in my
expert opinion). :)

Capabilities: SCA
I don't have a particular need for an authentication key atm, but I
might someday, and I'd really rather avoid a proliferation of new keys,
subkeys, etc. I'm aiming to make this my one key for another good long
while. If I get 7 years out of this one (like I did my DSA key) that'll
be a good achievement I think.

Photo UID: 30915 bytes
This is a 175x200 jpeg, and I didn't think a 30k image was that large,
but gpg complains that it's "very large" or some such. I could strip it
down to a smaller size if this is truly too large, but the file size now
makes the photo just usable as it is.

Encryption subkey: 4096 RSA
Here is where I differ from the defaults. I understand the argument
about a 1,000 meter wall vs. a 100,000 meter wall, however the larger
key doesn't make any appreciable difference to the encrypted file size,
and I like the idea of having an encryption key large enough that I
don't have to worry about things staying encrypted for the foreseeable

So, anything painfully stupid in there?




	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!

More information about the Gnupg-users mailing list