Establishing new key - key setup recommendations
Thomas Harning Jr.
harningt at gmail.com
Fri Apr 15 23:01:08 CEST 2011
I've generated and published a 8192-bit non-expiring RSA 'master' key
for signing other keys as well as 2048-bit RSA keys for signing and
encryption (expiring in a few years). The master key is protected by
I have not had it signed by other users yet and am concerned that I
might want to generate a new keyset before I get the 8192-bit key in
wide circulation. I have, however, signed tags in my Git source
repository with a subkey... so would it make sense to migrate those
subkeys (through trickery i've seen)... or would the fact that they
are available under the 8192-bit key be a general problem?
Some options I am considering after reading blogs/etc:
* Generate RSA 4096-bit master signing key and revoke the 8192-bit
key noting that it has been superceded
* Generate DSA 3072-bit master signing key and revoke... (this is
well supported, right?)
* Wait for ECC to be in standard and supported by PGP and GnuPG
* Generate ECC key and keep it alongside my better-supported 8192-bit
key until better software support arrives (perhaps keeping both
well-signed?)
- this implies the ECC public key storage for signing it has been
set in stone...
Any help in this decision would be well appreciated.
--
Thomas Harning Jr.
More information about the Gnupg-users
mailing list