On May 4, 2009, at 11:21 AM, Raimar Sandner wrote:
On Monday 04 May 2009 04:56:24 David Shaw wrote:
If you want a DSA2 key:
gpg --enable-dsa2 --gen-key
Select option 1, and enter 3072 for the DSA key size.
If you want an RSA key:
gpg --cert-digest-algo sha256 --gen-key
Select option 5. Enter a RSA key size. The default (2048) is fine.
Why do you recommend the DSA2 signing key to be larger than the RSA
signing
key?
Heh. It's because of fussy internal parameter settings. DSA2 keys
can use different hashes, and the hashes they use are tied to the key
size. There is some looseness in the parameters, but in GPG it
basically it boils down to this:
If the key is over 2048 bits, use a 256-bit hash.
If the key is over 1024 bits, use a 224-bit hash.
Otherwise, use a 160-bit hash.
I couldn't specify the DSA key to be 2048 bits long to match the RSA
key because that would have given it a 224-bit hash instead of the
promised 256-bit hash.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
