[19590] in cryptography@c2.net mail archive
Re: long-term GPG signing key
daemon@ATHENA.MIT.EDU (Adam Back)
Wed Jan 11 13:46:57 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Jan 2006 09:22:30 -0500
From: Adam Back <adam@cypherspace.org>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Ian G <iang@systemics.com>, "Travis H." <solinym@gmail.com>,
cryptography@metzdowd.com, Adam Back <adam@cypherspace.org>
In-Reply-To: <874q4avp2g.fsf@snark.piermont.com>
There are a number of differences in key management priorities between
(communication) signature and encryption keys.
For encryption keys:
- you want short lived keys
- you should wipe the keys after at first opportunity
- for archiving you should re-encrypt with storage keys
- you can't detect or prove an encryption key is compromised as the
attacker will just be decrypting documents
For signature keys:
- you want longer lived keys (or two tier keys, one for ceritfying
that is kept offline, and one for signing communications that is
offline) - in fact many applications dont even want signatures they
want authentication (convince the recipient of author and integrity,
but be non-transferable)
- with signature keys if they are compromised and the compromised key
used, there is risk (to the attacker) that the recipient or others can
detect and prove this.
I do agree tho that the relative value of encryption vs signature
depends on teh application.
Adam
On Wed, Jan 11, 2006 at 09:04:07AM -0500, Perry E. Metzger wrote:
>
> Ian G <iang@systemics.com> writes:
> > Travis H. wrote:
> >> I'd like to make a long-term key for signing communication keys using
> >> GPG and I'm wondering what the current recommendation is for such. I
> >> remember a problem with Elgamal signing keys and I'm under the
> >> impression that the 1024 bit strength provided by p in the DSA is not
> >> sufficiently strong when compared to my encryption keys, which are
> >> typically at least 4096-bit D/H, which I typically use for a year.
> >
> > 1. Signing keys face a different set of
> > non-crypto threats than to encryption
> > keys. In practice, the attack envelope
> > is much smaller, less likely.
>
> I call "bull".
>
> You have no idea what his usage pattern is like, and you have no idea
> what the consequences for him of a forged signature key might be. It
> is therefore unreasonable -- indeed, unprofessional -- to make such
> claims off the cuff.
>
> --
> Perry E. Metzger perry@piermont.com
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
