Re: gnupg 2.0.2 and funopen/fopencookie on Solaris 8
On Tue, 21 Aug 2007 17:59, [EMAIL PROTECTED] said: Are you saying that I should be able to compile gpg now? Where do I get the estream library? It is part of gnupg 2.0.6 and used on any platform. (common/estream*.[ch]) I don't know whether it will build. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Questions about generating keys
I'm about to generate a new keypair, and got a few questions. I have many e-mail addresses and change them frequently, and therefore I don't want to have one in my public key. (Also because I'm afraid of getting spam.) I think this would be easier than having to update a lot of user IDs. Are there any any drawbacks in not having an e-mail address in the public key? Are there any widely used applications that will expect one, and not work if none is found? Why is there no way to generate a RSA keypair in one step, like when you create a DSA/Elgamal keypair? Why do I first have to create a signing key, and then in a separate step create an encryption key? This is annoying. Name must be at least 5 characters long Why? There are probably many people who like to go only by their first name, and have a 3 or 4 character name. Is there any way to manually set the time that will be used for the creation time? Or do I have to change the system time if I don't want to use the current time? I'm a bit of a perfectionist, and think 00:00:00 looks much better than something like 01:42:57. Oskar ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Oskar L. wrote: Are there any any drawbacks in not having an e-mail address in the public key? Not especially. Are there any widely used applications that will expect one, and not work if none is found? Not to my knowledge. Why is there no way to generate a RSA keypair in one step, like when you create a DSA/Elgamal keypair? Why do I first have to create a signing key, and then in a separate step create an encryption key? This is annoying. 1. Because the developers don't feel it's necessary, and nobody's yet submitted a patch. 2. Why do you need an RSA keypair? The overwhelming majority of users are best served by sticking with the defaults--which, in this case, means a DSA/Elgamal keypair. Name must be at least 5 characters long Why? There are probably many people who like to go only by their first name, and have a 3 or 4 character name.' 1. Because the developers don't feel it's necessary, and nobody's yet submitted a patch. 2. RFC2440 is officially neutral about the content of a user ID packet, except that by convention it's an RFC822-style address. Speaking for myself, I'm glad GnuPG enforces a minimum; it reduces the likelihood that some poorly-conformant implementation will have a psychotic break from reality when it sees a user ID packet with length 0. GnuPG's limit is, as near as I can tell, completely arbitrary. That doesn't make it a bad choice. If the spec gives no guidance (at least, none I can see in section 5.11), then any decision whatsoever is arbitrary. Allow zero-length? Arbitrary. Allow only names of 17 characters? Arbitrary. Require at least five-letter names? Arbitrary. The ultimate metric is not whether the choice is perfect; it's whether the choice makes sense for the great majority of users. Is there any way to manually set the time that will be used for the creation time? Or do I have to change the system time if I don't want to use the current time? I'm a bit of a perfectionist, and think 00:00:00 looks much better than something like 01:42:57. There is not, and I recommend against changing your system time just to get a 'perfect' key. A key is a mathematical device which allows us to utilize trust relationships over a widely dispersed network. A perfect key is one which best contributes to the confidence and trust of the network. If I see that you've got a key date of 00:00:00, my first thought is going to be that you've played hob with your system time and carefully doctored your key. That is not going to cause me to have trust in you or your key. Doctoring a key in this way is probably ultimately against your own interests. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG OpenSSH
--- Werner Koch [EMAIL PROTECTED] wrote: On Mon, 20 Aug 2007 14:10, [EMAIL PROTECTED] said: 1. Is it possible to have only one key pair (public secret pref. DSA) that can be used for both GPG OpenSSH? (as a sys admin of some interest in cryptography, this is an important question) Yes. However you want separate keys for separate tasks. Fortunately OpenPGP provides just that: There is a primary key for certifying other keys (and subkeys) and subkeys for encryption, signing and authentication. The authentication key may be used for SSH. Thanks for the direction there. I now have an 'authentication' subkey created. I've even extracted the SSH compatible public key from the subkey using gpgkey2ssh (which I can propagate to .ssh/authorized_keys of the remote machines). I'm stuck on unable to understand how to integrate the secret key of the above authentication subkey with gpg-agent (or ssh-agent for that matter though gpg-agent is my preferred choice now :-)). Just by observing things, I'd say I've two choices: 1. Extract the SSH compatible secret key from the authentication subkey somehow; then use ssh-add to populate .gnupg/sshcontrol .gnupg/private-keys-v1.d/keygrip.key files. Naturally, I don't know how to extract an SSH compatible key from the subkey to feed it to ssh-add, so I can make no progress here. 2. Or by other means populate .gnupg/sshcontrol .gnupg/private-keys-v1.d/keygrip.key files. I've made no progress here either for the lack of skill knowledge. I'd appreciate if a GnuPG expert can guide me with either one of the choices above (or perhaps Smartcard's the only path suitable etc. as gpg-agent man pages imply smartcard approach is capable of handling .gnupg/sshcontrol .gnupg/private-keys-v1.d/keygrip.key files 'automatically'). I also couldn't work out how to extract the keygrip id of a subkey (using gpg2 --fingerprint subkeyid OR gpg2 --edit-key subkeyid etc.). I suspect the keygrip of a subkey might be the same as the primary key it's associated with. Yes? (If yes, then the next question is how to populate .gnupg/private-keys-v1.d/keygrip.key with the right content :-).) Thank you. Srihari PS: Indeed with gpg-agent I've struck a gold-mine ;-). Would be nice if I can get the SSH integration using GPG subkey going somehow. I've some very useful use for these ideas. Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
On Wed, Aug 22, 2007 at 01:06:18PM +0300, Oskar L. wrote: I'm about to generate a new keypair, and got a few questions. I have many e-mail addresses and change them frequently, and therefore I don't want to have one in my public key. (Also because I'm afraid of getting spam.) I think this would be easier than having to update a lot of user IDs. Are there any any drawbacks in not having an e-mail address in the public key? Are there any widely used applications that will expect one, and not work if none is found? Yes, common sense. if you submit your key to a keyserver, there should be some way to distinguish your key from hundreds of other having the same short name, when searching for a key. Sidenote: you are getting spammed anyway, it is better to invest in filtering infrastructure (greylisting, spamassassin, bogofilter), than play whack-a-mole with spammers, with you being the mole. Is there any way to manually set the time that will be used for the creation time? Or do I have to change the system time if I don't want to use the current time? I'm a bit of a perfectionist, and think 00:00:00 looks much better than something like 01:42:57. It looks unnatural and doctored. Alex -- JID: [EMAIL PROTECTED] PGP: 0x46399138 od zwracania uwagi na detale są lekarze, adwokaci, programiści i zegarmistrze -- Czerski ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Oskar L. wrote: Name must be at least 5 characters long Why? There are probably many people who like to go only by their first name, and have a 3 or 4 character name. It's generally considered useful to follow the typical format for a user id (FirstName LastName [EMAIL PROTECTED]). You are free to ignore this and the --allow-freeform-uid option will bypass all checks on the format of the user id. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ That men do not learn very much from the lessons of history is the most important of all the lessons of history. -- Aldous Huxley Collected Essays, 1959 pgpDhSSbChbb9.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
subpacket of type 20 has critical bit set
Occasionally the console session will display subpacket of type 20 has critical bit set when verifying certain signatures. What exactly is this message telling me and is it of any concern to me or the key owner? Thanks in advance. Timestamp: Wed 22 August 2007, 08:34 AM --400 (Eastern Daylight Time) -- Kevin Coates Dewitt, NY USA (see kludges for my pgp key) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
On Wed, Aug 22, 2007 at 01:06:18PM +0300, Oskar L. wrote: I'm about to generate a new keypair, and got a few questions. I have many e-mail addresses and change them frequently, and therefore I don't want to have one in my public key. (Also because I'm afraid of getting spam.) I think this would be easier than having to update a lot of user IDs. Are there any any drawbacks in not having an e-mail address in the public key? Are there any widely used applications that will expect one, and not work if none is found? Yes. Mail programs tend to fetch keys by email address (out of necessity - that's usually all they know about the person being mailed). Why is there no way to generate a RSA keypair in one step, like when you create a DSA/Elgamal keypair? Why do I first have to create a signing key, and then in a separate step create an encryption key? This is annoying. No real reason, except it would make the list of key types very long if every possible combination was listed (RSA primary/Elgamal subkey, DSA primary/RSA subkey, RSA primary/RSA subkey, DSA primary/Elgamal subkey). Name must be at least 5 characters long Why? There are probably many people who like to go only by their first name, and have a 3 or 4 character name. It's not common, and keeping a 5 character name helps prevent errors (mistyping). If you really have a name that short, you can use the --allow-freeform-uid to override the test. Is there any way to manually set the time that will be used for the creation time? Or do I have to change the system time if I don't want to use the current time? I'm a bit of a perfectionist, and think 00:00:00 looks much better than something like 01:42:57. As it happens, this will probably be possible in an upcoming version, but for other reasons. That said: I wouldn't bother - it changes nothing about the key and is completely cosmetic. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: subpacket of type 20 has critical bit set
On Wed, Aug 22, 2007 at 08:40:25AM -0400, Kevin Coates wrote: Occasionally the console session will display subpacket of type 20 has critical bit set when verifying certain signatures. What exactly is this message telling me and is it of any concern to me or the key owner? It means that the person who made that signature set a notation on it, and marked that notation as critical. That means, essentially, if you don't understand this notation, you cannot understand this signature. Thus, that signature is not usable. The only notations that GPG understands, and thus allows to be critical without invalidating the signature are: [EMAIL PROTECTED] and [EMAIL PROTECTED] Note that the critical notation might be set on a key or data signature. That message can be from either. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Robert J. Hansen wrote: 2. Why do you need an RSA keypair? The overwhelming majority of users are best served by sticking with the defaults--which, in this case, means a DSA/Elgamal keypair. I prefer RSA keys because - DSA does not have a hash firewall. - They don't have a 1024 bit limit, like DSA has. I know DSA2 can have larger keys, but last I heard PGP can't use them. - The hash used is not limited to 160 bits, like it is with DSA. - RSA is faster. I can't understand why RSA isn't the default. The only argument defending DSA I've heard is that DSA creates smaller signatures. Is this really so important to people that they are willing to give up all the benefits of RSA for it? David Shaw wrote: No real reason, except it would make the list of key types very long if every possible combination was listed (RSA primary/Elgamal subkey, DSA primary/RSA subkey, RSA primary/RSA subkey, DSA primary/Elgamal subkey). I understand, but surely an RSA keypair must be such a common thing that it could have it's own option? What I find really strange is that the archives mention a sixth option, (6) RSA (sign and encrypt), but version 1.4.6 gives me: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (3) DSA (set your own capabilities) (5) RSA (sign only) (7) RSA (set your own capabilities) Why was the sixth option removed? By the way, is there a security or performance difference between a RSA (sign and encrypt) keypair with no subkeys, and a RSA (sign only) keypair with a RSA (encrypt only) subkey? David Shaw wrote: Is there any way to manually set the time that will be used for the creation time? Or do I have to change the system time if I don't want to use the current time? I'm a bit of a perfectionist, and think 00:00:00 looks much better than something like 01:42:57. As it happens, this will probably be possible in an upcoming version, but for other reasons. Nice! I'm curious about what these reasons are. Alex wrote: Yes, common sense. if you submit your key to a keyserver, there should be some way to distinguish your key from hundreds of other having the same short name, when searching for a key. Sorry, I forgot to say that I don't use any keyservers. Only my friends can get my private e-mail address and private public key. James wrote: - E-mail clients using PGP won't be able to automatically know which key to use when e-mailing you - they'd have to setup specific mappings. That's ok, since they would have the same problem if the address in my key differed from the one in their address book. Since not specifying an e-mail address doesn't seem to go against the OpenPGP specification, I think I won't specify one when I create my new key. Todd wrote: ...the --allow-freeform-uid option will bypass all checks on the format of the user id. I'll keep that in mind in case I'll ever need it. Thanks everybody for your anwsers! -Oskar ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
On Wed, 22 Aug 2007 13:06:18 +0300 (EEST) Oskar L. [EMAIL PROTECTED] wrote: Name must be at least 5 characters long Why? There are probably many people who like to go only by their first name, and have a 3 or 4 character name. Use gpg --gen-key --allow-freeform-uid (from 'man gpg') best regards Paul -- It isn't worth a nickle to two guys like you or me, but to a collector it is worth a fortune signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 John Clizbe wrote: There's no guarantee that your key won't end up on a keyserver nor is there one that your private email address won't leak into the public, All it takes is 1 inadvertent click of 'Refresh All Keys' or a well intentioned sharing of the 'Gift' of a Signature. :( Public Keys are like 'Secrets'; When _only_ You have/know it, it's Secret.whenever it's shared it's...well, Public. JOHN ;) Timestamp: Wednesday 22 Aug 2007, 16:48 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8-svn4556: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJGzKFHAAoJEBCGy9eAtCsPm5UH/0gCHp54spcykpsSG87sluvp ix1jGDgJvnLSLr6QLci3vN5sVlV+5W17TOdmCWujz+0pucVDA3QOc0NwdK2kMoGQ /1766wV75dA3lluBvr2/fWaAOUaoyUkw6JqEEINEbwUbwObqFn4FA3RCjTojYC1I njHw4AEt7158dIBaCpvM45xvcFCxU8zbGatO2Kf6v879da5SfsIlfAahnCpDc+xf tbg1G6sjldoeGpbUMWqntDeQgKL6/RyuaZcE6vlWt+E8kLROD14c3WQqIgxQvHn+ GQUA4yn6yxsJt3oTAAINDGpfht0fIWoQJjKx18nq8icCRJBBulOe9HB9RPhE7DI= =dDDk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
On Wed, Aug 22, 2007 at 03:34:50PM -0500, John Clizbe wrote: Alex wrote: Yes, common sense. if you submit your key to a keyserver, there should be some way to distinguish your key from hundreds of other having the same short name, when searching for a key. Sorry, I forgot to say that I don't use any keyservers. Only my friends can get my private e-mail address and private public key. Relying on the 'highly effective Security via Obscurity model, huh? There's no guarantee that your key won't end up on a keyserver nor is there one that your private email address won't leak into the public, There were people that submitted their whole keyrings to keyservers. And yesterday I got spammed to address that I created for one-time use for one person, and never gave publicly nor to anyone else. a -- JID: [EMAIL PROTECTED] PGP: 0x46399138 od zwracania uwagi na detale są lekarze, adwokaci, programiści i zegarmistrze -- Czerski ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG OpenSSH
Srihari Vijayaraghavan wrote: I now have an 'authentication' subkey created. I've even extracted the SSH compatible public key from the subkey using gpgkey2ssh (which I can propagate to .ssh/authorized_keys of the remote machines). I'm stuck on unable to understand how to integrate the secret key of the above authentication subkey with gpg-agent (or ssh-agent for that matter though gpg-agent is my preferred choice now :-)). I am having this problem as well. I created both an RSA and a DSA subkey, as well as (for testing purposes) a new separate key (DSA). I had expected them to show up in 'ssh-add -l' (I use gpg-agent with ssh-agent support) ... but they don't. It would be very helpful to know: why this doesn't happen, and how to get it to work. Thanks -Alex Mauer hawke signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Oskar L. wrote: - They don't have a 1024 bit limit, like DSA has. I know DSA2 can have larger keys, but last I heard PGP can't use them. The latest versions of PGP support them. - RSA is faster. If you are repeatedly encrypting and/or decrypting enormous files, then yes, this is potentially an issue. Otherwise, there is no practical difference in speed you will notice. I can't understand why RSA isn't the default. The OpenPGP specification came out in the late nineties. RSA did not enter the public domain until August of 2000. The IETF refused--rightly so--to make a patented algorithm the default OpenPGP algorithm. The only argument defending DSA I've heard is that DSA creates smaller signatures. Is this really so important to people that they are willing to give up all the benefits of RSA for it? This implicitly casts RSA as being somehow universally superior. It's not. Nor is it inferior. In a couple of very narrow fields, RSA is superior. In others, DSA is probably superior. In yet others, Rabin signatures are probably best. (Me, I've wondered for years why OpenPGP doesn't support Rabin; it's a beautifully elegant algorithm. And then I kick myself and say duh, to keep the number of algorithms down, just like with Lamport signatures and WHIRLPOOL!, and go on with my business.) Why was the sixth option removed? Because it's a deprecated key style. There's nothing inherently wrong with it, but most authorities today recommend using separate signing and encryption keys. By the way, is there a security or performance difference between a RSA (sign and encrypt) keypair with no subkeys, and a RSA (sign only) keypair with a RSA (encrypt only) subkey? Only when it comes to recovering from a security-related incident. If the cops come by and force you to give the private part of a key used to encrypt a message, fine, you can do so without yielding your signing key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
On Wed, Aug 22, 2007 at 08:36:36PM +0300, Oskar L. wrote: Robert J. Hansen wrote: 2. Why do you need an RSA keypair? The overwhelming majority of users are best served by sticking with the defaults--which, in this case, means a DSA/Elgamal keypair. I prefer RSA keys because - DSA does not have a hash firewall. - They don't have a 1024 bit limit, like DSA has. I know DSA2 can have larger keys, but last I heard PGP can't use them. I'm not sure if that is still true or not, but either way, if PGP doesn't use them now, it will soon. The new OpenPGP spec supports large DSA (so-called DSA2) keys. - The hash used is not limited to 160 bits, like it is with DSA. Same here. DSA2 supports larger hashes. - RSA is faster. This is actually not completely true. DSA makes signatures faster than RSA. RSA verifies signatures faster than DSA. Since most signatures are verified more often than they are generated, this is generally stated as RSA being faster, but in OpenPGP usage, this is almost always irrelevant. Unless you're issuing thousands of signatures a second, the time needed to read the files, and do the hashing is far more significant. I can't understand why RSA isn't the default. The only argument defending DSA I've heard is that DSA creates smaller signatures. Is this really so important to people that they are willing to give up all the benefits of RSA for it? Now that DSA2 is here, there aren't really that many benefits to RSA (and I say this as someone with an RSA key). In theory, DSA is better because it is required by OpenPGP: you won't be able to find any OpenPGP implementation that doesn't handle it. This is not true of RSA (it's legal for a program to reject it just because it is RSA). In practice, that doesn't happen much because the big two, PGP and GPG, both handle RSA. So DSA is the default because the OpenPGP standard requires it to be present, and does not require the same of RSA. The reasons behind this were mainly legal stuff and not relevant any longer. What I find really strange is that the archives mention a sixth option, (6) RSA (sign and encrypt), but version 1.4.6 gives me: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (3) DSA (set your own capabilities) (5) RSA (sign only) (7) RSA (set your own capabilities) Why was the sixth option removed? The feature wasn't removed. Option 7 took its place. RSA (sign and encrypt) is the same thing as RSA (set your own capabilities) - just turn on the sign and encrypt flags. By the way, is there a security or performance difference between a RSA (sign and encrypt) keypair with no subkeys, and a RSA (sign only) keypair with a RSA (encrypt only) subkey? No performance difference. There is a minor security difference between one and two keys in that if your key is compromised, with one key you've compromised both your signing and encrypting capabilitles. With two keys, you've only compromised the one. The usual example of this is the police demanding an encryption key from you (which they can do in many places around the world). If you have a subkey for encryption, you could turn over that subkey without affecting your primary key (and thus all the signatures you've gathered and issued). If you don't have a subkey for encryption, you can be forced into turning over the one key, which compromises your signing key as well. David Shaw wrote: Is there any way to manually set the time that will be used for the creation time? Or do I have to change the system time if I don't want to use the current time? I'm a bit of a perfectionist, and think 00:00:00 looks much better than something like 01:42:57. As it happens, this will probably be possible in an upcoming version, but for other reasons. Nice! I'm curious about what these reasons are. Mainly the use of GPG inside anonymous remailers and similar proxies. In cases like that you may want to randomize or force the internal timestamps to hide the original values. James wrote: - E-mail clients using PGP won't be able to automatically know which key to use when e-mailing you - they'd have to setup specific mappings. That's ok, since they would have the same problem if the address in my key differed from the one in their address book. Since not specifying an e-mail address doesn't seem to go against the OpenPGP specification, I think I won't specify one when I create my new key. There is a whole lot of code in the world that really really expects an email address in there. You're free to do what you want, but don't be surprised when something breaks. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Thanks again for all your answers, I'm really interested in this kind of stuff. Robert J. Hansen wrote (regarding DSA2 keys): The latest versions of PGP support them. That's good news. Can it also create them? But there are probably still many using older versions. I know some who refuse to update from 6.5.8. David Shaw wrote: Now that DSA2 is here, there aren't really that many benefits to RSA (and I say this as someone with an RSA key). In theory, DSA is better because it is required by OpenPGP: you won't be able to find any OpenPGP implementation that doesn't handle it. This is not true of RSA (it's legal for a program to reject it just because it is RSA). In practice, that doesn't happen much because the big two, PGP and GPG, both handle RSA. So DSA is the default because the OpenPGP standard requires it to be present, and does not require the same of RSA. The reasons behind this were mainly legal stuff and not relevant any longer. I wasn't aware of this, thanks for the info! David Shaw wrote: This is actually not completely true. DSA makes signatures faster than RSA. RSA verifies signatures faster than DSA. Since most signatures are verified more often than they are generated, this is generally stated as RSA being faster, but in OpenPGP usage, this is almost always irrelevant. Unless you're issuing thousands of signatures a second, the time needed to read the files, and do the hashing is far more significant. Robert J. Hansen wrote: If you are repeatedly encrypting and/or decrypting enormous files, then yes, this is potentially an issue. Otherwise, there is no practical difference in speed you will notice. Ok, so RSA isn't always significantly faster, as I thought it was. I had read somewhere that it was, (probably on this list) and my own testing with my 4GB backup files showed RSA to be notably faster. David Shaw wrote: Same here. DSA2 supports larger hashes. So would it be fair to sum up the differences like this: - for signing DSA is faster, for verification RSA is faster, but there's not much of a difference. - OpenPGP implementations must support DSA, but supporting RSA is optional, but both gpg and PGP support RSA, so there's not much of a differance. - original DSA limited to 1024 bit keys and 160 bit hashes. - DSA signatures are smaller. - updated DSA, aka DSA2, equal to RSA when it comes to the lenghts of keys and hashes. - Of PGP, only the newest version support DSA2 keys. - RSA has a hash firewall If there are no other significant differences that I have missed, since I want a key larger that 1024 bits, it must be a DSA2 or RSA key. RSA gets a minus for not being required by OpenPGP, but only a small one since it is supported anyway. DSA2 gets minus points both for lack of support in older versions of PGP, and for lack of a hash firewall. RSA still seems better to me, but not by as much as I previously thought. Robert J. Hansen wrote: The OpenPGP specification came out in the late nineties. RSA did not enter the public domain until August of 2000. The IETF refused--rightly so--to make a patented algorithm the default OpenPGP algorithm. So they accepted RSA into the standard, while it was still restricted by patents, as long as it wasn't made the default? I took for granted that an open standard like OpenPGP would not have accepted any patented stuff into the standard, and that RSA was added later, after the patents ran out. I'm a bit sad to find out I was wrong, I was under the impression that OpenPGP only allowed completely free and open algorithms. If the IETF refused to make RSA the default, does that mean that the people behind OpenPGP originally wanted it to be the default, but then had to change it to DSA? Relying on the 'highly effective Security via Obscurity model, huh? There's no guarantee that your key won't end up on a keyserver nor is there one that your private email address won't leak into the public, I would not say that just because someone doesn't willingly make their address available to spammers makes them a believer in security through obscurity. Full disclosure is not a good strategy when it comes to personal information like e-mail addresses, credit card numbers etc. Saying that going through a little trouble to greatly decrease the risk of something bad happening is not worth it because it won't make you 100% secure makes no sense. That's like saying that you can't get 100% protection from dying in a car crash, so therefore don't bother using a seatbelt. For example, this list has a public archive with the posters e-mail addresses, so spammers can easily get them. Having a separate account for e-mail lists that deletes everything not coming from the lists is not much trouble, but it makes it a lot harder for the spammers to get your address, if it is not available anywhere on the web. Spammers also find addresses by sending out mail to common names at different domains, to see if they bounce
Re: Questions about generating keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Oskar L. wrote: That's good news. Can it also create them? But there are probably still many using older versions. I know some who refuse to update from 6.5.8. Yes. And yes, there are still people using the very old 6.5.8 codebase. These people ought to be dragged out into the street and forcibly introduced into the twenty-first century, but hey, that's just my opinion. Ok, so RSA isn't always significantly faster, as I thought it was. I had read somewhere that it was, (probably on this list) and my own testing with my 4GB backup files showed RSA to be notably faster. Err--how? When you're doing a signature, you're signing less than 1k of data with RSA or DSA. When you're encrypting a file, less than 1k of data is being encrypted with RSA or Elgamal. How does this test show any speed difference between the two? The time differential between RSA/DSA/Elgamal is statistical noise given the much, much larger time spent reading the 4GB of data. - for signing DSA is faster, for verification RSA is faster, but there's not much of a difference. I'd just keep the last clause. There's not much of a difference. Timing of DSA versus RSA will depend heavily on everything from processor load to disk I/O to the phase of the moon. Generally speaking, yes, the first two clauses are correct, but it's impossible to say with specificity what will happen in your particular environment. - OpenPGP implementations must support DSA, but supporting RSA is optional, but both gpg and PGP support RSA, so there's not much of a differance. Pretty much. - original DSA limited to 1024 bit keys and 160 bit hashes. Yes. - DSA signatures are smaller. Yes. - updated DSA, aka DSA2, equal to RSA when it comes to the lenghts of keys and hashes. Not really. E.g., DSA2048 uses SHA256 as a hash algorithm. But I can use SHA512 with an RSA2048 key. RSA keys offer the best selection of hash algorithms, but this is mostly a canard. - Of PGP, only the newest version support DSA2 keys. Newest versions, not version. I think PGP 9.0 introduced DSA2, and they're up to 9.5. - RSA has a hash firewall Yes, but I am unconvinced that this is something an average user needs to be concerned about. (I'm concerned about it, but I freely admit to being paranoid.) RSA still seems better to me, but not by as much as I previously thought. What does this better mean? Seriously. You're arguing about whether Godzilla or Mechagodzilla is more effective at flattening downtown Tokyo. The answer doesn't matter. Whether it's Godzilla or Mechagodzilla, people are still going to run for the hills. Likewise, given the astronomical difficulty of attacking either RSA or DSA, it's hard for me to say one is better. The instant an attacker sees RSA or DSA, the attacker is going to give up trying to forge a message by cryptanalytic means. In a lot of ways, I think this is arguing over how many angels can dance on the head of a pin. So they accepted RSA into the standard, while it was still restricted by patents, as long as it wasn't made the default? You can have a perfectly OpenPGP-conformant application that treats RSA messages as noise and silently discards them. In RFC language, there are a few special keywords that are almost always capitalized: MUST: a conformant application is required to... SHOULD: while not required for conformance, it is good if... MAY: totally irrelevant to conformance, but worth considering... NOT: invert the meaning of the preceding word. DSA is a MUST algorithm, as are SHA-1 and 3DES. RSA is a MAY algorithm. I took for granted that an open standard like OpenPGP would not have accepted any patented stuff into the standard It didn't. You can implement OpenPGP without paying anyone a dime in patent royalties. If the IETF refused to make RSA the default, does that mean that the people behind OpenPGP originally wanted it to be the default, but then had to change it to DSA? The distinction between the IETF and the people behind OpenPGP is not as big as you might think. The IETF is fundamentally composed of a lot of people who are interested in technology. That's all. Their working groups (WGs) are open to the public. Public participation on IETF mailing lists is heavily encouraged. I sit on the IETF OpenPGP mailing list just to track the latest changes. In Ye Olden Days, when Phil Z. was developing Classic PGP (PGP 2.6, RFC1991), his attitude towards intellectual property was remarkably cavalier. It created an awful lot of problems for PGP 2.6, since practically everything about it was patent-encumbered. The patent problems were one of the driving forces behind the development of a next-generation PGP technology, which became OpenPGP (RFC2440). - From the very earliest days of OpenPGP, there has been a strong commitment to the total absence of patent-encumbered algorithms from MUSTs. I would not say that just because someone
