long-term GPG signing key
Adam Back
adam at cypherspace.org
Wed Jan 11 09:22:30 EST 2006
There are a number of differences in key management priorities between
(communication) signature and encryption keys.
For encryption keys:
- you want short lived keys
- you should wipe the keys after at first opportunity
- for archiving you should re-encrypt with storage keys
- you can't detect or prove an encryption key is compromised as the
attacker will just be decrypting documents
For signature keys:
- you want longer lived keys (or two tier keys, one for ceritfying
that is kept offline, and one for signing communications that is
offline) - in fact many applications dont even want signatures they
want authentication (convince the recipient of author and integrity,
but be non-transferable)
- with signature keys if they are compromised and the compromised key
used, there is risk (to the attacker) that the recipient or others can
detect and prove this.
I do agree tho that the relative value of encryption vs signature
depends on teh application.
Adam
On Wed, Jan 11, 2006 at 09:04:07AM -0500, Perry E. Metzger wrote:
>
> Ian G <iang at systemics.com> writes:
> > Travis H. wrote:
> >> I'd like to make a long-term key for signing communication keys using
> >> GPG and I'm wondering what the current recommendation is for such. I
> >> remember a problem with Elgamal signing keys and I'm under the
> >> impression that the 1024 bit strength provided by p in the DSA is not
> >> sufficiently strong when compared to my encryption keys, which are
> >> typically at least 4096-bit D/H, which I typically use for a year.
> >
> > 1. Signing keys face a different set of
> > non-crypto threats than to encryption
> > keys. In practice, the attack envelope
> > is much smaller, less likely.
>
> I call "bull".
>
> You have no idea what his usage pattern is like, and you have no idea
> what the consequences for him of a forged signature key might be. It
> is therefore unreasonable -- indeed, unprofessional -- to make such
> claims off the cuff.
>
> --
> Perry E. Metzger perry at piermont.com
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list