Debian encouraging use of 4096 bit RSA keys

Wed Sep 15 04:07:56 EDT 2010

On Tue, 14 Sep 2010 17:01, hmh at debian.org said:

> I'd appreciate some input from this list about the Debian bias towards 4096
> RSA main keys, instead of DSA2 (3072-bit) keys.  Is it justified?

We have made RSA the default in GnuPG for three reasons: First, DSA >
1024 is only supported by more recent versions of OpenPGP
implementations whereas RSA is supported for 10 years now with any sane
key size.  Second, we want to support SHA2 et al as soon as possible;
this is not possible with DSA-1024.  Third, DSA signing is fast
(DSA-3072 is about 7 times faster than RSA-4096) however verification is
much slower (~15 times).  Given that for most use cases verification is
the most prominent operation (think only of checking hundreds of key
signatures per key), this is for what we want to optimize.

OTOH, DSA vs. RSA is not the real question.  I have not seen a threat
model for DD keys.  I would claim that the best way to attack Debian's
code signing is to take over a developer's box and make use of his/her
key [1].  With ~ 1000 developers and thus at least this number of boxes and
keys this is a by far an easier way for malice actions than even to
think about how to break RSA-2048.  I doubt that this situation will
change in the next 10 years.

> These keys are used as KSK, as gpg will happily attach subkeys to them
> for the grunt work...

Right, but than you should take the primary key offline or put it on a
smart card - this removes the option to attack the primary key on the
developer's box.  And if one of the subkeys has been compromised it is
very easy to replace that subkey.  

Salam-Shalom,

   Werner

[1] An even easier way is to subvert the upstream source.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com