On 7/23/11 10:19 AM, Edmond wrote: > But since AFAIK both 1024 bit DSA and SHA1 hashes are not recommended > for use anymore (at least in new systems), I was wondering if I should > issue a new primary key.
This is impossible to answer, since we don't know exactly what threats you're facing. However, it's worth pointing out that you're correct: most of us no longer recommend DSA-1K or SHA-1 *for new systems*. Speaking personally, just for myself, I have not seen any instances where I thought someone who used DSA-1K needed to switch algorithms immediately. It's probably a good idea to migrate to a new certificate *sometime*. If right now is a convenient time for you to do it, then sure, go for it. But there's no rush. With respect to which algorithms to use... use GnuPG's defaults (RSA-2K right now, I believe). You don't need to tweak GnuPG in order to get a very high level of assurance from it. :) > I.e., the worst thing that could happen is that someone > issues new subkeys that claim to belong to my primary key when they > actually don't. Is that correct? Almost. The worst that could happen is someone could issue signatures and pretend they're from you. But if SHA-1 falls that far, well, we're all going to have a whole lot of problems above and beyond just that. :)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
