Re: what are the sub keys

Tue, 22 Mar 2011 07:24:15 -0700 

On Sat, Mar 19, 2011 at 11:36:57PM -0400 Also sprach Robert J. Hansen:

On 3/19/11 10:34 PM, Jonathan Ely wrote:


but be sure to set your preferences and choose a 4096 over 2048.


Why?  This is like saying, "I like the bank vault on my front door, but
I wish it was thicker: I want the extra security."  Key length is only a
small part (arguably the smallest part) of communications security.



I agree that 4096 may seem like overkill, but I think the recommendation
to max out one's RSA key size is defensible. Here's why:

1. Modern computers are fast; it costs us almost nothing in terms of
   computation time to use a 4096-bit key.

2. Modern computers are fast, and getting faster all the time; remember
   that your security margin may need to be good not just today, but
   against all the attacks that are possible in the future, for as long
   as your data needs to remain secure (decades, for some people). Once
   upon a time, 1024-bit keys were considered perfectly adequate; most
   experts urge against generating keys today with that strength.

I agree that an awful lot of fuss is made over key length, sometimes to
the exclusion of other, much more likely attack vectors. However, until
someone describes for me a compelling reason NOT to bump key length up
to 4096, my view remains: "Why not?"

Special case, relating to this thread's original question:

Some software which is designed to interface with GnuPG, or otherwise
implement PGP keys, may not support arbitrary key lengths.
E.G. Evolution used to have a 160-bit hash hard-coded into it's gnupg
integration (it may still--I haven't used Evolution in a while), which
meant that to remain DSS-compliant, you could only sign email with a
1024-bit DSA key. DSA-2 keys could not be supported directly by
Evolution. You could circumvent the key-stregth limit by using an RSA
key as long as you liked. However, in cases when a particular piece of
software may require use of a key which does not meet your general-use
criteria, for whatever reason, generating a sub-key which meets the
requirements can allow you to use the specific feature you need, while
still enabling you to use other sub-keys for less restrictive
applications.

--
"Le hasard favorise l'esprit préparé."
                      --Louis Pasteur

Attachment: pgp8BcUjLpUkr.pgp
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to