Snoken wrote: > Hi, > Interoperability with PGP 8 matters too. > Signatures made with RSA 4096-keys (or shorter) and SHA256 can be > verified by users of PGP 8. > N.B. Not any other new hashes! > Please note the option: --pgp8 > Snoken
What I was trying to do was bring a real world perspective to this question. Are you using PGP 8? Do you know anybody who is using PGP 8? http://www.pgpi.org http://www.pgpi.org/news/#20021203 (personally, I think they should close the web pages down, I get all the history I need on the History channel on TV) Since PGP 8 was released in December 2002 and nothing has been done with it for 4-1/2 years now, it is getting pretty long in tooth. PGP Corporation is up to at least PGP 10.x the last time I checked (last year). I would advise people using software that is that old (PGP 8) to update to newer stuff. Whether they drag the keys they created with PGP 8 along with them is up to them. I haven't had any problems with building GnuPG 1.4.x for either FreeBSD or OpenBSD. It of course works with all versions of Linux, Mac OS X, and Windows. I won't discuss the GnuPG 2.0.X line since it hasn't been built for Windows yet. Most of the people using my SIGS to verify that what I have provided is kosher will be using Microsoft Windows. They will outnumber Linux users by a factor of at least 4:1. They will also take the GnuPG defaults (with a key that lasts forever - how optimistic). There will be a smattering of Mac and other OS users. But they will *ALL* be working from a desktop system. They may have a PDA, but that is a secondary platform for them. Werner cautioned that a key size this large (4096R) causes severe problems with PDAs with limited CPU power and a large number of signatures on each key. I have absolutely no reason to doubt his statements and accept them as true. I don't see my keys being used with either of those constraints. What I am providing is for end user desktop systems and I cannot foresee these keys which will be part of the WOT as having more than just a few sigs. Most of the people using what I am providing have even more powerful machines than I have. You see, I gave you the actual stuff that is going to be signed - a blocking hosts file and PAC filter that blocks broad swaths of the Internet. I am still working on the Ad filtering stuff. Most web sites that can detect AdBlock Plus in Firefox still can't detect the presence of a PAC filter. These keys are NOT the keys that are used with this email account (still 1024 bit DSA for at least a year and I see no valid reason to change it - it works well). Caution and experience teaches me that you never know for sure how something will end up being used. Just because it is technically feasible to use a 4096 bit RSA key doesn't mean it is the optimal choice. Each person's choice has to be tailored to how they and *OTHERS* will use that key. Keep the *OTHERS* in mind when you make your choices. We have already established that 1024 bit RSA keys still have a few years of TECHNICAL life left in them (which should also hold true for DSA keys as well). But CPUs just keep getting faster (even on PDAs - where did the Hobbit chip go?), and I don't foresee anybody using my keys on a PDA. If they do, at least they won't have a lot of sigs on that particular key. I worked on the nascent PDAs with the PenPoint OS. The hand writing recognition I worked on was infinitely superior to what exists now if you ask me. But for the life of me I can't understand somebody using these keys on that limited of a platform. If they do, it will only be for one or two questions to me and answers from me and after that they will just delete my key on their PDA. That has been my experience up to now and I see no reason for it to change. In other words, I don't foresee anybody other than desktop platform users who will be using this key (it does NOT replace my present key). But that sig will be infinitely better than a check sum that anybody can change. At this point I am still leaning toward the maximum which may be seen as a minimum eight years from now. I am always looking toward the future. I also want something that people can't even question from a technical perspective. Keep that last statement in mind. If I have to, I will remove keys entirely (secure remove written by myself) for tricky operations with bad hosts on the Internet And don't think for one minute that Linux systems are secure from all Internet attacks - THEY ARE NOT SECURE FROM ALL OF THEM! That holds for Mac OS-X and *BSD as well. HHH -- Why hack in when you can drive in on Hwys. 80, 110, 194, 220, 443, 993, 994 & 995?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
