Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Key signing: gpg version 1.4.6, and --disable-dsa2 option

On Thu, Oct 21, 2010 at 11:58:32AM +1100, Zenaan Harkness wrote:
>Hey sluggers, do you have experience of any problems using gpg's
>--disable-dsa2 option?
>gnupg 1.4.6 is what I am using (Ubuntu 8.04), although later today I
>should have a chroot for Ubuntu 10.04 if that makes any difference.
>  --disable-dsa2
>    Enables new-style DSA keys which (unlike the old style)  may  be
>    larger  than  1024  bit  and  use  hashes  other  than SHA-1 and
>    RIPEMD/160. Note that very few programs currently support  these
>    keys and signatures from them.
>I have only ever given my current key to about three people, and my
>root master/ private key has an old email address from 12+ years ago
>which I wish to make disappear.

I guess your key ID is AA41E5E0:


To migrate your WoT, see:


>So I am going to create a new master key (pair).

You could see the instructions about creating a strong 4096 bits RSA key


>Having just re-read the Gnu Privacy Handbook (GPH), it says:
>"DSA allows a key size up to 1024 bits. This is not especially good
>given today's factoring technology, but that is what the standard
>specifies. Without question, you should use 1024 bit DSA keys."
>Is there any reason I should not use --disable-dsa2 ?

You should use RSA keys of 2048 (or more) bits. The problem with a DSA
key is that by default it uses SHA1 which maybe (or will be) vulnerable.


You should read the page OpenPGP Best Practices at:


Attachment: signature.asc
Description: Digital signature