On Tue, 14 Sep 2010 17:01, [email protected] said: > I'd appreciate some input from this list about the Debian bias towards 4096 > RSA main keys, instead of DSA2 (3072-bit) keys. Is it justified?
We have made RSA the default in GnuPG for three reasons: First, DSA > 1024 is only supported by more recent versions of OpenPGP implementations whereas RSA is supported for 10 years now with any sane key size. Second, we want to support SHA2 et al as soon as possible; this is not possible with DSA-1024. Third, DSA signing is fast (DSA-3072 is about 7 times faster than RSA-4096) however verification is much slower (~15 times). Given that for most use cases verification is the most prominent operation (think only of checking hundreds of key signatures per key), this is for what we want to optimize. OTOH, DSA vs. RSA is not the real question. I have not seen a threat model for DD keys. I would claim that the best way to attack Debian's code signing is to take over a developer's box and make use of his/her key [1]. With ~ 1000 developers and thus at least this number of boxes and keys this is a by far an easier way for malice actions than even to think about how to break RSA-2048. I doubt that this situation will change in the next 10 years. > These keys are used as KSK, as gpg will happily attach subkeys to them > for the grunt work... Right, but than you should take the primary key offline or put it on a smart card - this removes the option to attack the primary key on the developer's box. And if one of the subkeys has been compromised it is very easy to replace that subkey. Salam-Shalom, Werner [1] An even easier way is to subvert the upstream source. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
