[kwlug-disc] Using 4096-bit RSA for keysigning party (NOT defaults)
denver at ossguy.com
Sat Sep 11 13:34:21 EDT 2010
(changing subject for proper threading)
On Fri, Sep 10, 2010 at 10:31 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:
> As part of this meeting we will hold a keysigning party, and if you
> act quickly then you can participate! There is a summary of how to get
> started here: http://kwlug.org/node/772 which I will reproduce below.
> But you have to get Keymaster Chris your signature BEFORE the meeting
> to play.
> Whew. Here are some keysigning party instructions:
> Chris Frey (cdfrey at the domain foursquare dot net) is the KeyMaster
> for this party. As part of the process, you will e-mail him your key.
> Here are his instructions for getting started, with some e-mail
> address obfuscation:
> 1. Generate new key:
> gpg --gen-key
> (Accept the defaults, they are pretty good)
Unfortunately, they might not be. On most distros released before
about May 2009 (and probably more), the default GnuPG settings will
give you a 1024-bit DSA key, which is quite vulnerable to attacks due
to its reliance on SHA-1:
As recommended in the above article, users should select RSA and I
would personally recommend using the maximum key size of 4096 bits.
So please do NOT use the defaults and instead choose 4096-bit RSA.
This will give us a much stronger web of trust.
I'm personally of the opinion that a non-expiring key is ok, though
the extra-paranoid will probably want a finite expiration time (though
this makes it harder to remain in the web of trust over time).
> gpg --fingerprint dc6371d5
> pub 1024D/DC6371D5 2006-12-02 [expires: 2011-12-01]
> Key fingerprint = 7D71 47F2 3F61 B0E1 5F3C 68A4 819A 39D8 DC63
> uid Chris Frey (cube)
> sub 4096g/C2855553 2006-12-02 [expires: 2011-12-01]
I hate to break it to Chris, but his key is one of the potentially
vulnerable. "pub 1024D" means 1024-bit DSA. I would especially
recommend that Chris generate a new key before the meeting, being the
keymaster and all.
Here's an example of the kind of key you want:
$ gpg --keyserver pgp.mit.edu --recv-keys 5F36A772
$ gpg --list-keys 5F36A772
pub 4096R/5F36A772 2009-06-16
uid Denver Gingerich [...]
sub 4096R/A0C337A9 2009-06-16
(As you may have guessed, "pub 4096R" means I have a 4096-bit RSA key.)
Whoever has access, please update the instructions at
http://kwlug.org/node/772 and send them to kwlug-announce (I know not
all people follow kwlug-disc).
I don't like to causing extra work for people (updating
sites/e-mails), but I would much rather see a little extra work done
now than to have a whole bunch of vulnerable keys made.
I hope the keysigning party goes well.
More information about the kwlug-disc