Key generation, subkeys and improved documentation
s.murthy at mykolab.com
Tue Jan 6 02:58:24 CET 2015
I think 4096 is enough for me, I don’t want to key of length 8192.
I was just suggesting that the key generation dialogue in gpg could
s.murthy at mykolab.com
> On 5 Jan 2015, at 22:46, Nex6|Bill <n6ghost at yahoo.com> wrote:
>> On Jan 5, 2015, at 7:54 AM, Sandeep Murthy <s.murthy at mykolab.com> wrote:
>> I have a couple of questions about key generation, subkeys and the documentation
>> on gnupg.org.
>> (FYI I have GnuPG/MacGPG (v. 2.0.26) on my Mac.)
>> 1. I just tried to generate an RSA keypair using `gpg` on the command line, and it
>> asks me to choose a key length between 1024 and 8192. Here is the relevant output
>> from my terminal session:
>> RSA keys may be between 1024 and 8192 bits long.
>> What keysize do you want? (2048) 8192
>> Requested keysize is 8192 bits
>> I thought the maximum was 4096? For example, GPGKeychain (the GUI keychain
>> utility from the GPGTools suite which installs the GnuPG/MacGPG) doesnt’t allow
>> key sizes bigger than 4096. In any case, choosing 8192 fails with `gpg`:
>> gpg: keysize invalid; using 4096 bits
>> Shouldn’t this be changed to ensure that 4096 is the limit, or is it possible to have
>> an 8192 length RSA key or this limited by the current capabilities of the random
>> number generator?
>> 2. The key generation dialogue for v. 2.0.26 (started by `gpg —gen-key`) shows
>> the following list of options for keys:
>> Please select what kind of key you want:
>> (1) RSA and RSA (default)
>> (2) DSA and Elgamal
>> (3) DSA (sign only)
>> (4) RSA (sign only)
>> As a user this is confusing to see, for example, RSA and RSA - of course I worked
>> out afterwards that this was going to generate two keypairs one for signatures (S),
>> the other for encryption (E), but at the moment it’s just confusing, even if have to
>> generate new keys again. There is also no explanation that the public key itself is
>> a pair of keys, one which actually makes the signatures using the private key, and
>> the other (subkey) which others use to encrypt messages to you.
>> Also these subway codes S, E, and also C, A are not explained at all - I had to
>> lookup the source code (‘keyedit.c` in the `/g10/ subfolder of the source folder) to
>> guess at what they mean.
>> For example, here is the information provided by `gpg` for my keybase.io public key:
>> pub 4096R/9EAB92B4 created: 2014-12-30 expires: never usage: SCEA
>> trust: ultimate validity: ultimate
>> sub 2048R/238026C5 created: 2014-12-30 expires: 2022-12-28 usage: S
>> sub 2048R/66C9185A created: 2014-12-30 expires: 2022-12-28 usage: E
>> [ultimate] (1). keybase.io/sandeepmurthy <sandeepmurthy at keybase.io>
>> There should be an explanation surely of what S C E A mean: S (signatures),
>> E (encryption), C (creating a certificate) and A (authentication?).
>> 3. At the moment the documentation on gnupg.org - both the manuals and the
>> privacy handbook - are out of date for v. 2.x+), e.g. the privacy handbook
>> https://www.gnupg.org/gph/en/manual/c14.html showing the possible keypair
>> choices as
>> (1) DSA and ElGamal (default)
>> (2) DSA (sign only)
>> (4) ElGamal (sign and encrypt)
>> which is obviously different from what the current one version allows. Perhaps
>> there should be a much better explanation of subways and the codes S, C, E, A,
>> because I don’t think it’s there right now. Since the handbook is aimed at first
>> time users it seems these updates should be (and could be) made very quickly.
>> I use GnuPG but I would also like to contribute. Would it be possible to clone
>> the repo and make a pull request or something like that?
>> Sandeep Murthy
>> s.murthy at mykolab.com
> I believe the recommendation from the GPG folks is a 2048 key pair. But I have seen some of the more paranoid privacy folks doing 4096 key pairs.
> Other than that most of the defaults are good.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Gnupg-users