-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Doug Barton escribió: ... > Signing key: 2048 RSA > 1024 RSA seems right out based on recent events, however I can't see any > reasoning for a larger signing key, and I've read all the discussion on > why this is the default and don't see anything wrong with it (in my > expert opinion). :)
IMHO, the main key (used to sign other keys), is the most important one, since you can add or revoke subkeys, but the main one, can't be changed. If the key length chosen becomes unsafe, you should revoke the key and make a new one, so I would chose a length with a larger security margin, like RSA 2048 (by the way, RSA 2048 is the new default in current version of GnuPG). IIRC, RSA 2048 is considered to remain safe until 2030 (according to a wikipedia article quoting RSA estimations). Of course that estimation may change. ... > Encryption subkey: 4096 RSA Well, if you want to store something encrypted, and it must remain safe at least until 2030, maybe you can use that length, since it would give you a larger security margin. Another thing to consider, is SHA is not as safe as it used to be, and it it becomes easily crackeable, signatures issued using SHA can become unsafe. So maybe you'd like to use SHA-256 instead of SHA-128. If I'm not wrong, you would need to add the following lines to your gpg.conf file, before generating your key: s2k-digest-algo SHA256 cert-digest-algo SHA256 The first line tells gnupg to use SHA-256 instead of SHA-1 to mangle the passphrases. I don't really know what is that mangling thing, but if the idea is to replace SHA-1 with SHA-256, it can be useful. (I have a bad feeling about telling other people to use that line). The second line tells gnupg to use SHA-256 instead of SHA-1 for signing other keys. But beware, older implementations of PGP maybe won't be able to read SHA-256 (but probably, these implementations are outdated). Best Regards The second line -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLpZUXAAoJEMV4f6PvczxAEcEH/RD4szs4GozPBPKW7BBWG8vu RUMQFgEtapnLd9cfZmdH5MQUHYTossHlx9PwoX5c7hYPWf8IcDbiNYjHoE3ZSiVF kfAZpsO9Y1pFqnJS9ikpp8ZoAKp48J/Ex/INViHn5pVpm07xvA4DyCD4TJJAF1AP Gdiicof5RC/o9xIxIrsVMBAs1IH3h4ZK6FK6DoSpJDN9+RaLtiiIf/4UuWv4ZWfZ K+VsA2SEjgaRFV9y15J39RR5PwfZZcEIspoNmSVvkL8TRcN2bip4cglNyRLwUyaF KBCkKi+3ykyAAA+jSKQggGUlrBOEe4kyxKbflcJEtwNsAb6QIdOsQhLP0fOq6tU= =VGBG -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
