[kwlug-disc] Using 4096-bit RSA for keysigning party (NOT defaults)

Denver Gingerich denver at ossguy.com
Sat Sep 11 13:34:21 EDT 2010 

(changing subject for proper threading)


On Fri, Sep 10, 2010 at 10:31 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:
[...]
> As part of this meeting we will hold a keysigning party, and if you
> act quickly then you can participate! There is a summary of how to get
> started here: http://kwlug.org/node/772 which I will reproduce below.
> But you have to get Keymaster Chris your signature BEFORE the meeting
> to play.
[...]
> Whew. Here are some keysigning party instructions:
>
> Chris Frey (cdfrey at the domain foursquare dot net) is the KeyMaster
> for this party. As part of the process, you will e-mail him your key.
>
> Here are his instructions for getting started, with some e-mail
> address obfuscation:
>
>   1. Generate new key:
>
>      gpg --gen-key
>
>      (Accept the defaults, they are pretty good)

Unfortunately, they might not be.  On most distros released before
about May 2009 (and probably more), the default GnuPG settings will
give you a 1024-bit DSA key, which is quite vulnerable to attacks due
to its reliance on SHA-1:

http://www.debian-administration.org/users/dkg/weblog/48

As recommended in the above article, users should select RSA and I
would personally recommend using the maximum key size of 4096 bits.

So please do NOT use the defaults and instead choose 4096-bit RSA.
This will give us a much stronger web of trust.

I'm personally of the opinion that a non-expiring key is ok, though
the extra-paranoid will probably want a finite expiration time (though
this makes it harder to remain in the web of trust over time).

>      gpg --fingerprint dc6371d5
>      pub 1024D/DC6371D5 2006-12-02 [expires: 2011-12-01]
>      Key fingerprint = 7D71 47F2 3F61 B0E1 5F3C 68A4 819A 39D8 DC63
> 71D5
>      uid Chris Frey (cube)
>      sub 4096g/C2855553 2006-12-02 [expires: 2011-12-01]

I hate to break it to Chris, but his key is one of the potentially
vulnerable.  "pub 1024D" means 1024-bit DSA.  I would especially
recommend that Chris generate a new key before the meeting, being the
keymaster and all.

Here's an example of the kind of key you want:

$ gpg --keyserver pgp.mit.edu --recv-keys 5F36A772
$ gpg --list-keys 5F36A772
pub   4096R/5F36A772 2009-06-16
uid                  Denver Gingerich [...]
sub   4096R/A0C337A9 2009-06-16


(As you may have guessed, "pub   4096R" means I have a 4096-bit RSA key.)

Whoever has access, please update the instructions at
http://kwlug.org/node/772 and send them to kwlug-announce (I know not
all people follow kwlug-disc).

I don't like to causing extra work for people (updating
sites/e-mails), but I would much rather see a little extra work done
now than to have a whole bunch of vulnerable keys made.

I hope the keysigning party goes well.

Denver
http://ossguy.com/

More information about the kwlug-disc mailing list