On Thu, Oct 21, 2010 at 11:58:32AM +1100, Zenaan Harkness wrote: >Hey sluggers, do you have experience of any problems using gpg's >--disable-dsa2 option? > >gnupg 1.4.6 is what I am using (Ubuntu 8.04), although later today I >should have a chroot for Ubuntu 10.04 if that makes any difference. > > --disable-dsa2 > Enables new-style DSA keys which (unlike the old style) may be > larger than 1024 bit and use hashes other than SHA-1 and > RIPEMD/160. Note that very few programs currently support these > keys and signatures from them. > >I have only ever given my current key to about three people, and my >root master/ private key has an old email address from 12+ years ago >which I wish to make disappear.
I guess your key ID is AA41E5E0: http://pgp.net.nz:11371/pks/lookup?op=vindex&fingerprint=on&search=0xAA41E5E0 To migrate your WoT, see: http://www.debian-administration.org/users/dkg/weblog/48 >So I am going to create a new master key (pair). You could see the instructions about creating a strong 4096 bits RSA key at: http://keyring.debian.org/creating-key.html >Having just re-read the Gnu Privacy Handbook (GPH), it says: >"DSA allows a key size up to 1024 bits. This is not especially good >given today's factoring technology, but that is what the standard >specifies. Without question, you should use 1024 bit DSA keys." > >Is there any reason I should not use --disable-dsa2 ? You should use RSA keys of 2048 (or more) bits. The problem with a DSA key is that by default it uses SHA1 which maybe (or will be) vulnerable. See: http://csrc.nist.gov/groups/ST/hash/statement.html You should read the page OpenPGP Best Practices at: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
