I appreciate everyone's feedback on this matter. Comments/questions below...
On Fri, Dec 10, 2010 at 9:41 AM, Robert J. Hansen <[email protected]>wrote: > On 12/9/2010 11:08 PM, David Tomaschik wrote: > > I feel bad for the "litter" this introduces to the keyservers. > > Don't. :) The keyservers don't have a problem with this litter. I > wish people showed more care with their certificates, but that's because > I get too many "I forgot my passphrase, help!" emails, not because I > think the keyserver network is getting clogged. > Only my oldest key (ca. 2000) is still in the wild, with a lost private key. Many lessons were learned from that. > > > I currently have a 4096-bit RSA sign/encrypt keypair with no subkeys. I > > believe, but am not certain, that it was generated with SHA1 hashes. > > (Is there a way I can check?) This keypair was generated in May of this > > year. > > Well, you have one subkey, it's just that the subkey is capable of both > signing and encryption. You don't have separate subkeys for separate > tasks, if I understand you correctly. Some people think this is a bad > idea, since if you're compelled to produce an encryption key to the > authorities (so they can decrypt an email sent to you) you've also > provided them with your signature key (so they can now impersonate you). > Are there any disadvantages to distinct signature & encryption keys? Seems like there's benefit with little cost (other than a bigger keyring). I'm currently considering generating an offline-only master key and using that to sign other keys. Some of the other threads in the archives seemed to recommend this. > > > What is the best way to transition my email address? Add a new UID and > > revoke the old? Should a new keypair be generated? What is the > > conventional wisdom on the strength of RSA-4096? > > Add a new UID and revoke the old. You don't need to generate a new > certificate. RSA-4K is, IMO, phenomenal overkill for the vast majority > of users. Breaking RSA-2K is believed comparable in difficulty to > breaking 3DES, and that prospect is ... let's just say "implausible." > > RSA-3K is roughly comparable to breaking AES-128. RSA-4K is not very > much harder than that. Given all this, I really don't see any point in > going past RSA-2K. Adding another 2,000 bits to the key in order to get > about another 20 bits of symmetric-key equivalent just strikes me as bad > art. > > > If a new keypair is generated, what length would be sufficient for a > > decent (10+ year, preferrably 20+) margin of safety? I know that there > > may be unforeseen advances in computing that allow for keys to be broken > > rapidly (Quantum computing, new sieve algorithms, etc.), but there's > > surely some guidance based on the current generation of things. > > There is not. In twenty years we will see commonplace attacks that > today are just speculative science fiction. It's incredibly hard to > make good long-term predictions about crypto. > > It is possible that in twenty years national governments will have > large-scale quantum processors. Once that happens, RSA, DSA and ElGamal > all die horrible screaming deaths. > > As an example: almost twenty years ago Schneier wrote in _Applied > Cryptography_ of the Chinese Lottery Attack. It involved putting a > small processor in every Chinese television set, which could be > programmed by broadcasts from Party headquarters. Each processor would > crunch a small part of the keyspace, and as soon as a hit was achieved > the television would tell the viewer, "You have won! Call Party > headquarters with this authorization number: [insert key here]." > > Twenty years ago the Chinese Lottery Attack was an interesting thought > experiment, but nobody took it seriously. > > Today we have RC5-64, distributed.net, s...@home, botnets, Amazon EC2 > and all manner of other massively distributed computing frameworks. The > question today isn't whether a Chinese Lottery Attack is possible: the > question is how much it will cost you to rent your server time. > > The future is a scary place. But fun, too, and I look forward to > getting there. :) > > > In a new keypair, is it safe to use SHA512 for hashes? > > Sure, but you don't need to create a new cert to use new hash algorithms. > > Is the weakness in the hash used to sign the key internally, or just when it is used to sign data? I guess that's the part that eludes me. I've been looking at the thread earlier this month regarding smartcards. Are the options from kernel concepts basically the full range of GPG-compatible smart cards, or are there other products I haven't seen? Obviously I'd need a new keypair if I switched to that, as they only go up to RSA3k. Thanks again, David Tomaschik >
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
