On Feb 22, 2009, at 6:54 PM, gerry_lowry (alliston ontario canada)
wrote:
Preamble
----------
Michael W. Lucas on page 73 in Chapter 4 of "PGP & GPG: Email for
the Practical Paranoid",
No Starch Press, (c) 2006, shows the following choices for
"Please select what kind of key you want":
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Michael recommends choosing "5" which turns out to be a disadvantage
that one might not discover until the first time that she/he
attempts to
encrypt something.
He recommends a RSA signing key and later adding a subkey for
encryption. This is only a problem if someone does part 1 (the
signing key) of his recommendation and skips part 2 (the encryption
subkey)
AFAIK, other people can still encrypt for the user who has selected
"5"
above. And the user can decrypt whatever she/he receives.
This is not correct. A sign only key means sign only. It has no
encryption capability. That's why you need a subkey to handle the
encryption.
I do not recall Michael discussing the solution to the problems
caused by selecting just "(5) RSA (sign only)", although, since his
book is written for a beginner audience, I do think he should
have addressed this problem. Nevertheless, I found his book
still quite helpful.
QUESTIONS
-----------------
Especially because of my experience mentioned above, I tend to pay
attention
to the text that follows "Please select what kind of key you want".
The Windows' version that I used matches Michael's text:
gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software
Foundation, Inc.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
From "gpg --edit-key ID addkey", I also get
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
---------------------------------- where's (3)
(3) ??????????????
Why is there no "(3)" in the above two lists [gen-key list, addkey
list]?
(3) and (7) are special cases for advanced users. They do not show up
in the menu unless the "--expert" flag is given. They let you create
a key with any features that you want (for example, you could create a
RSA key that can sign and encrypt with a single key and not need
subkeys at all). This is for advanced use only.
Why are choices "(4) Elgamal (encrypt only)" and "(6) RSA (encrypt
only)"
not present in the "gen-key" list?
They are not meaningful there. gen-key creates a primary key, and as
per the OpenPGP standard, a primary key must be able to issue
certification signatures. An encrypt only key, by definition, cannot
issue signatures.
Why is choices "(1) DSA and Elgamal (default)" not present in the
"addkey" list?
Again, not meaningful there. addkey creates subkeys. DSA+Elgamal is
not a subkey (it's a shortcut for specifying a DSA primary and an
Elgamal subkey).
============ http://www.netbsd.org/developers/pgp.html
==============
shows different choices for "gpg --gen-key":
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
(5) RSA (sign only)
Exploring further "Please select what kind of key you want" via
Google,
I get the impression that there's potentially a standard that might
read something like:
position (1) should always be __________;
position (2) should always be __________;
position (3) should always be __________; et cetera
and for any position, you can offer nothing, sign only, encrypt
only, or sign and encrypt together.
Is that the case with regards to developer guidelines?
No. The numbers have changed in the past, and may well change in the
future.
Also, I'm guessing that although a developer might opt out of
creating a key of type X,
regardless, the developer must presumably support a complete set of
encryption/decryption
choices for the purpose of processing public and private keys
properly. Is this the case?
Not really. It is true that the developer can choose to not allow
creating certain key types in their OpenPGP program. It is also true,
though, that the developer can choose to not support an algorithm at
all. The only algorithms that are required to be supported are DSA
for signing, Elgamal for encryption, 3DES as a symmetric cipher, and
SHA-1 as a hash. Strictly speaking, everything else is optional. Of
course, most programs support a good chunk of the optional algorithms.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
