Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)
On Wed, 05 Mar 2014, peter green wrote:
> Also ECDSA shares with DSA the serious disadvantage over RSA that
> making signatures on a system with a broken RNG can reveal the key.
I believe that we should avoid ECDSA gnupg keys and subkeys like the plague
for the time being.
You'd most likely get ECDSA keys using the NIST p-curves out of gnupg, and
these p-curves are suspected to be backdoored. AFAIK, better curves are
available only on the latest development versions of gnupg 2.1, and the
difficulties do not end there: the keyservers are also going to be a problem
for such keys and subkeys for a while yet.
IMHO, we should stick with 4096-bit RSA for the main key for the time being,
and use short expire dates for the *subkeys* (2 years or less).
Refer to http://safecurves.cr.yp.to/ for more details on elliptic curves
for crypto.
PS: NIST p-curves are also a potential problem on OpenSSH and DNSSEC.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: