1 |
On Tue, Feb 19, 2013 at 7:12 PM, Robin H. Johnson <robbat2@g.o> wrote: |
2 |
> On Wed, Feb 20, 2013 at 01:34:57AM +0100, Stefan Behte wrote: |
3 |
>> > 2. root key & signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits |
4 |
>> > 2.2. RSA, >=2048 bits |
5 |
> ... |
6 |
>> 1024 DSA keys seem pretty short to me. Surely it might be inconvenient |
7 |
>> for some (2-3? please write a mail here!) people with smart cards. But |
8 |
>> then again, especially people going through the hell of using a |
9 |
>> physical token would understand the need for decent crypto. ;) |
10 |
> A physical token defends against a different method of attack than a |
11 |
> longer key. Simply having a longer key isn't going to help you if store |
12 |
> the key on the laptop and it gets compromised: presuming the attacker |
13 |
> extracts your secret key and passphrase). In such a case, the smartcard |
14 |
> at worst limits him to doing some number of signatures only, or even |
15 |
> better if the reader has a hardwired pinpad, he gets nowhere at all. |
16 |
|
17 |
I'm a bit confused. |
18 |
|
19 |
I agree that a smartcard is much better security vs a longer key. I |
20 |
don't think attackers targetting Gentoo are going to brute force the |
21 |
key. They are going to steal the key, trivially, by exploiting a 0-day |
22 |
in a crappy browser, or flash, or java, or whatever. A smartcard is |
23 |
the defense against this attack (because the key material is well |
24 |
protected, and they need physical access to actually relocate it.) |
25 |
Storing it in the TPM would also be cool, except TPMs are crap on |
26 |
Linux, *and* most hardware TPMs are crap anyway. |
27 |
|
28 |
> |
29 |
> Also, if there is a Well-Funded-Organization attacking Gentoo, there are |
30 |
> MUCH more effective ways for them to compromise us. Any perceived gains |
31 |
> in that field from requiring DSA2048 and blocking DSA1024 should be |
32 |
> examined very closely. |
33 |
|
34 |
I would ask the opposite question. What is the perceived difficulty in |
35 |
using DSA2048 vs 1024? For the non-smartcard users, the cost is likely |
36 |
trivial. Even your perf data shows that signing requests still |
37 |
complete in 200ms or less, and that is on old / slow hardware. |
38 |
|
39 |
> |
40 |
>> I think key rotation is overdoing it and pretty annoying. Better use a |
41 |
>> non-annoying, long key from the start? |
42 |
> NOWHERE did I require key rotation. Why do you think that I did? |
43 |
> My own key is more than a decade old. I need to see about replacing it |
44 |
> soon, but I've been trying to hold out for the OpenPGP standard to have |
45 |
> ECC included, before I repeat getting my extremely large web-of-trust. |
46 |
> |
47 |
>> > 4. If you intend to sign on a slow alternative-arch, you may find |
48 |
>> > adding a DSA1024 subkey significantly speeds up the signing. |
49 |
>> How slow is that actually? Does it make signing very inconvenient? |
50 |
>> Maybe someone with a slow machine can write about performance and the |
51 |
>> "annoyence-factor"... ;) |
52 |
> Some benchmark results from hake.hppa.dev.g.o, 552Mhz PA-RISC box. |
53 |
> |
54 |
> Average of running clearsign ~100 times, for various signature types. |
55 |
> The gpg.conf was set as in my initial post. |
56 |
> |
57 |
> DSA1024 0.059830s |
58 |
> DSA2048 0.158800s |
59 |
> DSA3072 0.274850s |
60 |
> RSA1024 0.060020s |
61 |
> RSA2048 0.173070s |
62 |
> RSA4096 0.896480s |
63 |
> |
64 |
> For reasons of time, while I wanted to create the keys on the host as |
65 |
> well for timing, I gave up after the first key, DSA1024, took more than |
66 |
> 3 minutes (I did ensure that /dev/random was not the blocking factor). |
67 |
> |
68 |
> If somebody from MIPS or m68k wants to chime in, I think they probably |
69 |
> have the slowest hardware around presently. |
70 |
|
71 |
djm works for Google, and I chat with him at least once a quarter. |
72 |
I've seen some patches go by that we could re-purpose for gpg-agent |
73 |
forwarding. For slow machines we could have them sign on a |
74 |
faster-trusted machine with a forwarded agent. |
75 |
|
76 |
-A |
77 |
|
78 |
> |
79 |
> -- |
80 |
> Robin Hugh Johnson |
81 |
> Gentoo Linux: Developer, Trustee & Infrastructure Lead |
82 |
> E-Mail : robbat2@g.o |
83 |
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
84 |
> |