Generating a new key

Faramir faramir.cl at gmail.com
Sun Mar 21 04:40:08 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Doug Barton escribió:
...
> Signing key: 2048 RSA
> 1024 RSA seems right out based on recent events, however I can't see any
> reasoning for a larger signing key, and I've read all the discussion on
> why this is the default and don't see anything wrong with it (in my
> expert opinion). :)

  IMHO, the main key (used to sign other keys), is the most important
one, since you can add or revoke subkeys, but the main one, can't be
changed. If the key length chosen becomes unsafe, you should revoke the
key and make a new one, so I would chose a length with a larger security
margin, like RSA 2048 (by the way, RSA 2048 is the new default in
current version of GnuPG). IIRC, RSA 2048 is considered to remain safe
until 2030 (according to a wikipedia article quoting RSA estimations).
Of course that estimation may change.

...
> Encryption subkey: 4096 RSA

  Well, if you want to store something encrypted, and it must remain
safe at least until 2030, maybe you can use that length, since it would
give you a larger security margin.

  Another thing to consider, is SHA is not as safe as it used to be, and
it it becomes easily crackeable, signatures issued using SHA can become
unsafe. So maybe you'd like to use SHA-256 instead of SHA-128. If I'm
not wrong, you would need to add the following lines to your gpg.conf
file, before generating your key:
s2k-digest-algo SHA256
cert-digest-algo SHA256

The first line tells gnupg to use SHA-256 instead of SHA-1 to mangle the
passphrases. I don't really know what is that mangling thing, but if the
idea is to replace SHA-1 with SHA-256, it can be useful. (I have a bad
feeling about telling other people to use that line).

The second line tells gnupg to use SHA-256 instead of SHA-1 for signing
other keys.

 But beware, older implementations of PGP maybe won't be able to read
SHA-256 (but probably, these implementations are outdated).

  Best Regards

The second line
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJLpZUXAAoJEMV4f6PvczxAEcEH/RD4szs4GozPBPKW7BBWG8vu
RUMQFgEtapnLd9cfZmdH5MQUHYTossHlx9PwoX5c7hYPWf8IcDbiNYjHoE3ZSiVF
kfAZpsO9Y1pFqnJS9ikpp8ZoAKp48J/Ex/INViHn5pVpm07xvA4DyCD4TJJAF1AP
Gdiicof5RC/o9xIxIrsVMBAs1IH3h4ZK6FK6DoSpJDN9+RaLtiiIf/4UuWv4ZWfZ
K+VsA2SEjgaRFV9y15J39RR5PwfZZcEIspoNmSVvkL8TRcN2bip4cglNyRLwUyaF
KBCkKi+3ykyAAA+jSKQggGUlrBOEe4kyxKbflcJEtwNsAb6QIdOsQhLP0fOq6tU=
=VGBG
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list