Establishing new key - key setup recommendations

Thomas Harning Jr. harningt at
Fri Apr 15 23:01:08 CEST 2011

I've generated and published a 8192-bit non-expiring RSA 'master' key
for signing other keys as well as 2048-bit RSA keys for signing and
encryption (expiring in a few years).  The master key is protected by

I have not had it signed by other users yet and am concerned that I
might want to generate a new keyset before I get the 8192-bit key in
wide circulation.  I have, however, signed tags in my Git source
repository with a subkey... so would it make sense to migrate those
subkeys (through trickery i've seen)... or would the fact that they
are available under the 8192-bit key be a general problem?

Some options I am considering after reading blogs/etc:
 * Generate RSA 4096-bit master signing key and revoke the 8192-bit
key noting that it has been superceded
 * Generate DSA 3072-bit master signing key and revoke... (this is
well supported, right?)
 * Wait for ECC to be in standard and supported by PGP and GnuPG
 * Generate ECC key and keep it alongside my better-supported 8192-bit
key until better software support arrives (perhaps keeping both
  - this implies the ECC public key storage for signing it has been
set in stone...

Any help in this decision would be well appreciated.
Thomas Harning Jr.

More information about the Gnupg-users mailing list