Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Key signing: gpg version 1.4.6, and --disable-dsa2 option


On Thu, Oct 21, 2010 at 11:58:32AM +1100, Zenaan Harkness wrote:
>Hey sluggers, do you have experience of any problems using gpg's
>--disable-dsa2 option?
>
>gnupg 1.4.6 is what I am using (Ubuntu 8.04), although later today I
>should have a chroot for Ubuntu 10.04 if that makes any difference.
>
>  --disable-dsa2
>    Enables new-style DSA keys which (unlike the old style)  may  be
>    larger  than  1024  bit  and  use  hashes  other  than SHA-1 and
>    RIPEMD/160. Note that very few programs currently support  these
>    keys and signatures from them.
>
>I have only ever given my current key to about three people, and my
>root master/ private key has an old email address from 12+ years ago
>which I wish to make disappear.

I guess your key ID is AA41E5E0:

http://pgp.net.nz:11371/pks/lookup?op=vindex&fingerprint=on&search=0xAA41E5E0

To migrate your WoT, see:

http://www.debian-administration.org/users/dkg/weblog/48

>So I am going to create a new master key (pair).

You could see the instructions about creating a strong 4096 bits RSA key
at:

http://keyring.debian.org/creating-key.html

>Having just re-read the Gnu Privacy Handbook (GPH), it says:
>"DSA allows a key size up to 1024 bits. This is not especially good
>given today's factoring technology, but that is what the standard
>specifies. Without question, you should use 1024 bit DSA keys."
>
>Is there any reason I should not use --disable-dsa2 ?

You should use RSA keys of 2048 (or more) bits. The problem with a DSA
key is that by default it uses SHA1 which maybe (or will be) vulnerable.
See:

http://csrc.nist.gov/groups/ST/hash/statement.html

You should read the page OpenPGP Best Practices at:

https://we.riseup.net/riseuplabs+paow/openpgp-best-practices

Attachment: signature.asc
Description: Digital signature