1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Just some quick thoughts on this: |
5 |
|
6 |
> 2. root key & signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits |
7 |
> 2.2. RSA, >=2048 bits |
8 |
|
9 |
I don't really agree. From your own link |
10 |
(https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#dont-use-pgp-mit-edu): |
11 |
|
12 |
"Many people still have 1024-bit DSA keys. You really should consider |
13 |
transitioning to a stronger bit-length and hashing algo. This size is |
14 |
known now to be within Well Funded Organizations’ ability to break. |
15 |
Also the hashing algo is showing its age." |
16 |
|
17 |
Some more opinions from different studies: keylength.com. |
18 |
|
19 |
1024 DSA keys seem pretty short to me. Surely it might be inconvenient |
20 |
for some (2-3? please write a mail here!) people with smart cards. But |
21 |
then again, especially people going through the hell of using a |
22 |
physical token would understand the need for decent crypto. ;) |
23 |
|
24 |
I think key rotation is overdoing it and pretty annoying. Better use a |
25 |
non-annoying, long key from the start? |
26 |
|
27 |
> 4. If you intend to sign on a slow alternative-arch, you may find |
28 |
> adding a DSA1024 subkey significantly speeds up the signing. |
29 |
|
30 |
How slow is that actually? Does it make signing very inconvenient? |
31 |
Maybe someone with a slow machine can write about performance and the |
32 |
"annoyence-factor"... ;) |
33 |
|
34 |
Best regards, |
35 |
|
36 |
Craig |
37 |
-----BEGIN PGP SIGNATURE----- |
38 |
Version: GnuPG v2.0.19 (GNU/Linux) |
39 |
Comment: Using GnuPG with undefined - http://www.enigmail.net/ |
40 |
|
41 |
iEYEARECAAYFAlEkGjEACgkQuiczp+KMe7SkWACgrioKjFkuPwJOxUCmhGKcC4Ib |
42 |
uyQAmwUfM7u3x6sD1rmQJrEjjUu7C6ok |
43 |
=OyqH |
44 |
-----END PGP SIGNATURE----- |