Mailing List Archive

Hi

I have generated a new keypir with GnuPG 1.0.2, and I would would like
to revoke the key that I have been using up until now, mainly because I
chose a too big key size when I created that one (2048). Another reason
is that I have gotten the impression from the GnuPG changelog that
decryption is faster with keys generated with v1.0.2, is this correct?
The key I want to revoke has been spread to keyservers.

After reading the GnuPG manual it seams I have two options, either use
--revoke-key or edit the key and run revkey on it. If I choose the
latter, is it enough to first run "key 1" followed by "revkey"? Can I
then just send it to a keyserver, and rest assured that my old key will
not be used any more?
--

// André

On Thu, 20 Jul 2000, André Dahlqvist wrote:

> Another reason is that I have gotten the impression from the GnuPG
> changelog that decryption is faster with keys generated with v1.0.2, ir
> this correct? The key I want to revoke has been spread to keyservers.

Yes. But, all you have to do is to revoke the subkey which is used
for encryption. The primary (DSA) keys stays and with it all your key
signatures.

1. --edit-key your_key
2. "addkey"
create a new encryption only key
3. select your old subkey ("key 1")
4. "revkey"
and you have revoked your old key.

The old key will still stay in your keyring but it will never be used
for encryption anymore. However, you can still decrypt messages
encrypted for the old key.

Werner

--
Werner Koch OpenPGP key 621CC013
OpenIT GmbH http://www.OpenIT.de

> Anything smaller than 2048 probably is too small. 2048 is a fine
> size.

If that's the case, which I doubt everyone agrees on, I think the GnuPG
manual should be updated. It currently states:

"The longer the key the more secure it is against brute-force attacks,
but for almost all purposes the default keysize is adequate since it
would be cheaper to circumvent the encryption than try to break it."

> > Another reason is that I have gotten the impression from the GnuPG
> > changelog that decryption is faster with keys generated with
> > v1.0.2, is this correct?
>
> I can't see why that would be correct.

What made me think so was the GnuPG changelog at appwatch.com:

http://www.appwatch.com/Linux/App/374/S/1/history.html

Among the changes this is mentioned: "New encryption keys are generated
in a way which allows a much faster decryption"

So is decryption faster in 1.0.2 only on newly generated keys, or on
keys created before too?
--

// André

On Fri, 21 Jul 2000, André Dahlqvist wrote:

> http://www.appwatch.com/Linux/App/374/S/1/history.html
>
> Among the changes this is mentioned: "New encryption keys are generated
> in a way which allows a much faster decryption"
>
> So is decryption faster in 1.0.2 only on newly generated keys, or on
> keys created before too?

Descryption is faster for new encryption keys. The reason for this is
that GnuPG now uses a much smaller x parameter which is not anymore
about the same size as the prime but about 1.5 times what Wiener
suggests for subgroups (see cipher/elgamal.c#wiener_table). This
makes a huge difference in speed for large keys.

Werner


--
Werner Koch OpenPGP key 621CC013
OpenIT GmbH http://www.OpenIT.de