long-term GPG signing key

Adam Back adam at cypherspace.org
Wed Jan 11 09:22:30 EST 2006

There are a number of differences in key management priorities between
(communication) signature and encryption keys.

For encryption keys:
- you want short lived keys
- you should wipe the keys after at first opportunity
- for archiving you should re-encrypt with storage keys

- you can't detect or prove an encryption key is compromised as the
attacker will just be decrypting documents

For signature keys:

- you want longer lived keys (or two tier keys, one for ceritfying
that is kept offline, and one for signing communications that is
offline) - in fact many applications dont even want signatures they
want authentication (convince the recipient of author and integrity,
but be non-transferable)

- with signature keys if they are compromised and the compromised key
used, there is risk (to the attacker) that the recipient or others can
detect and prove this.

I do agree tho that the relative value of encryption vs signature
depends on teh application.


On Wed, Jan 11, 2006 at 09:04:07AM -0500, Perry E. Metzger wrote:
> Ian G <iang at systemics.com> writes:
> > Travis H. wrote:
> >> I'd like to make a long-term key for signing communication keys using
> >> GPG and I'm wondering what the current recommendation is for such.  I
> >> remember a problem with Elgamal signing keys and I'm under the
> >> impression that the 1024 bit strength provided by p in the DSA is not
> >> sufficiently strong when compared to my encryption keys, which are
> >> typically at least 4096-bit D/H, which I typically use for a year.
> >
> > 1. Signing keys face a different set of
> > non-crypto threats than to encryption
> > keys.  In practice, the attack envelope
> > is much smaller, less likely.
> I call "bull".
> You have no idea what his usage pattern is like, and you have no idea
> what the consequences for him of a forged signature key might be. It
> is therefore unreasonable -- indeed, unprofessional -- to make such
> claims off the cuff.
> -- 
> Perry E. Metzger		perry at piermont.com
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list