On 08/31/2013 08:27 PM, Anthony Papillion wrote: > Personally, I trust my 4096 bit key for now until ECC is integrated > into GnuPG. Then, I'll recreate my keys. Looking for a key that will > never be broken is like looking for the fountain of youth: it's a nice > idea but not realistic to plan your life around. Security is always > moving. You have to be prepared to move with it.
And I was flamed for suggesting a 4096 bit key just a short six years ago. Currently I am using 2048R/2048R but I don't have top-secret needs. You should tailor your keys lengths and other factors to both yours AND OTHERS needs. The last time I checked I wasn't enciphering top-secret level embassy communiques. Make your keys to match their intended uses and part of that is what others can handle. But other than your key size maybe being too large for an iPhone (currently) all the rest of the advice you have given here is good. I noticed my previous 4096R/4096R did take a little bit of time and would not be appropriate for a person with s single core CPU so my current keys are 2048R/2048R so they can handle it. I especially like your fountain of youth analogy. It lets people know that there is no totally secure. There is only what is currently best for yours and others you communicate with needs. My main concern is that they don't upload those keys instantly to the key-servers after creating them. Play around with them for a while. Many people create keys with the following factors - no expire date - my current ones were for ten years but I can always revoke them if the key sizes finally become too small. They have lasted 2+ years now and I see no reason for them not to last at least another 3-5 years. But the day will come when they will no longer be adequate. There is no such thing as keys that can be used forever. - key sizes too large for THEIR needs and most especially for other people's needs. The key size really should be created to match OTHER people's needs more than yours. - passphrases that are either too short and simple or the opposite of being so long and and convoluted that even a top Jeopardy champion couldn't remember them. - no thought or knowledge of changing the preferences of their ciphers, digests and other factors. It isn't just the key sizes. http://www.securemecca.com/public/GnuPG/GnuPG_Prefs.txt - uploaded WAY too soon to the key-servers without playing around with them for a while. This last issue is CRITICAL. They just don't understand the need to play and think for a sufficiently long time. They want to use what they have with others immmediately. LEARN PATIENCE! - don't immediately generate a key revoke and encipher the revoke file. I think most beginners would actually be better off with writing down their pass-phrase and storing it in a safety box but at the same time giving their keys a reasonable expire date. That is better than a key that they don't use enough, forget the pass-phrase, and then their key is lodged on the key-servers forever with no expration date and no chance for it to gracefully expire and pass on into history. It would also give them the opportunity to revoke the keylater on. I know. I said they should generate a revoke key file but they didn't do it. But at least with with the pass-phrase in a strong box they have the opportunity to revoke and upload the revoked keys to the key-servers. The 10K bit key size being spoken should be a play-toy to find out why it should NOT be used. That ten minutes to generate with the hottest CPU out there would probably be a pain for me even with my dual-core and lower level quad-core systems. I suspect it may take as long as ten seconds to verify a signed message. They would have no problems sending me an enciphered message with my shorter 2048R key and even a TWOFISH cipher. But I would suspect me sending them a PK enciphered message even with a CAST5 symmetric cipher as their first choice would take a LONG time. For an iPhone user it would be utterly impossible. PITA my foot! Just remember there are probably more iPhone users now than there are PC owners. HHH
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users