long-term GPG signing key

Ian G iang at systemics.com
Wed Jan 11 10:16:06 EST 2006

Perry E. Metzger wrote:
> Ian G <iang at systemics.com> writes:
>>Travis H. wrote:
>>>I'd like to make a long-term key for signing communication keys using
>>>GPG and I'm wondering what the current recommendation is for such.  I
>>>remember a problem with Elgamal signing keys and I'm under the
>>>impression that the 1024 bit strength provided by p in the DSA is not
>>>sufficiently strong when compared to my encryption keys, which are
>>>typically at least 4096-bit D/H, which I typically use for a year.
>>1. Signing keys face a different set of
>>non-crypto threats than to encryption
>>keys.  In practice, the attack envelope
>>is much smaller, less likely.
> I call "bull".
> You have no idea what his usage pattern is like, and you have no idea
> what the consequences for him of a forged signature key might be. It
> is therefore unreasonable -- indeed, unprofessional -- to make such
> claims off the cuff.

You seem to have missed the next sentance:

    ".... Unless you have
    particular circumstances, it's not
    as important to have massive strength in
    signing keys as it is in encryption keys."

As he asked "what the current recommendation
is" it seems reasonable to assume the general
case, not the particular, and invite him to
elaborate if so needed.  Etc etc.

Errata - if you (Travis) are using 4096-bit D/H
as your encryption keys, you might want something
a bit beefier for signing keys.  Check out
the key length calculator:


and click on "NIST 2005 Recommendations" and
also "ECRYPT 2005 Report" for comparison.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list