Generating a new key

Doug Barton dougb at
Sun Mar 21 05:29:49 CET 2010

On 03/20/10 20:28, David Shaw wrote:
> On Mar 20, 2010, at 9:09 PM, Doug Barton wrote:
>> Capabilities: SCA I don't have a particular need for an
>> authentication key atm, but I might someday, and I'd really rather
>> avoid a proliferation of new keys, subkeys, etc. I'm aiming to make
>> this my one key for another good long while. If I get 7 years out
>> of this one (like I did my DSA key) that'll be a good achievement I
>> think.
> I wouldn't do this.  The default is SC (sign+certify).  If you want
> an authentication key at some point in the future, I recommend a
> subkey.  If you make your primary key the authentication key, you
> need to have that key online, and lose the ability to store it
> offline someday.

I thought about that actually, and was unclear about two things. It
doesn't seem to me that an authentication key would need signatures, is
that correct? The other is in reference to what you said above. If I add
an authentication subkey is it possible to store just the subkey
separate from the "main" SC key? I'm familiar with the concept of
on-line vs. off-line keys and fairly familiar with the security
implications relative to my work with DNSSEC, just not sure how they
relate here.

>> Photo UID: 30915 bytes This is a 175x200 jpeg, and I didn't think a
>> 30k image was that large, but gpg complains that it's "very large"
>> or some such. I could strip it down to a smaller size if this is
>> truly too large, but the file size now makes the photo just usable
>> as it is.
> 30k is a little big, but don't shrink its dimensions.  Instead,
> shrink its color depth and perhaps lower the JPEG quality level a
> bit.

Ok, saving it at 77% instead of 100% and removing all the exif data got
me down to 6140, which is just below the magic number of 6k. I can tell
the difference between the two images, but the smaller one still serves
the purpose.

>> Encryption subkey: 4096 RSA Here is where I differ from the
>> defaults. I understand the argument about a 1,000 meter wall vs. a
>> 100,000 meter wall, however the larger key doesn't make any
>> appreciable difference to the encrypted file size, and I like the
>> idea of having an encryption key large enough that I don't have to
>> worry about things staying encrypted for the foreseeable future.
> Frankly, you don't have much to worry about with a 2048 bit key
> either.  It also is slightly odd to use an encryption key that is so
> much larger than your signing key.  Another reason to not go 4096 is
> it removes the ability to use a smartcard in the future.  The
> smartcard is (currently) limited to 3072-bit keys.

That's a good point, thanks. I've no plans to use a smartcard but no
sense in gratuitously eliminating that possibility either.



	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!

More information about the Gnupg-users mailing list