Yubikey 4 becoming non-free

Florian Snow floriansnow at fsfe.org
Wed May 25 03:59:38 UTC 2016


Michael Kesper <mkesper at schokokeks.org> writes:
> Keep in mind such high key lengths might be a nuisance for other
> people (performance...)

I use 4K; I just saw another key that was 16K.  I still use RSA keys
because of the slight risk of quantum computers becoming useable within
the next 10 years.  If I understood things correctly, for those
computers, only the key size matters, ECC is not make it significantly
more difficult for them to break.  Please correct me if I'm wrong here.

> So you're throwing away all your signatures regularly.

Not really.  I keep my key for many years if it is still safe.  After
that, I would try the route of asking people to sign my new key by
sending them an email signed with both keys.

I also don't currently collect any signatures on my key.  I am still not
sure it is a good idea and no one has been able to provide a good answer
to me yet.  The problem I see is that the recommended procedure for
signing a key involves checking a government issued id.  If the
government then checks those emails, they can verify a certain email was
actually written by me and the more signatures I have, the more certain
they can be that at least _someone_ checked my id.

I don't care about the social graph being exposed;  it is exposed anyway
if I send emails to people.  But linking my key to a government issued
id is a problem for me.

My current alternative is to just exchange key fingerprints in person.
I don't check ids when I talk to people so with exchanging keys in
person, I have the same level of security as I would have in person.
This doesn't solve the problem of communicating with people who I have
never met personally.  I'm not sure how to solve it.

Happy hacking!

More information about the Discussion mailing list