The key size warning
Michael Young
mwy-gpg41 at the-youngs.org
Wed Mar 27 00:36:01 CET 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> From: "Robert J. Hansen" <rjhansen at inav.net>
>
> 768-bit keys should, IMO, flag a warning about "This key is far below
> the recommended keysize". But that's it.
I agree. If I *really* want a smaller key, despite the warning,
why should it be GnuPG's job to prevent me? I can buy the
argument that some programs should protect the incurably stupid,
but GnuPG is just chock-full of options that can be horribly misused
already. A protectionist policy seems out of place.
I have a relatively short key for low-value material I may
keep on my Palm device. I'm willing to let someone spend
$1B (or even $1M) if they really want this material, but I'm not
willing to wait minutes to get my data. (Some perhaps, but not all.)
I actually have a 384-bit key that I've used as an MDC. (It won't
cost you very much to break this. Heck, for $1, I'll give you the
secret key myself. :-) You could argue that I should use a new key
that gets automatic MDC treatment, or force GnuPG to use an MDC, but
sometimes I need to use a pre-MDC product. So, I sign with a
ridiculously short key. I'd have generated an even shorter one, but
this was the lower limit for PGP2.6.
No, not everybody needs to do these things. But should I really
have to dig up an antique product or roll my own key generator
if this is what I really want to do?
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBPKEEQFMkvpTT8vCGEQISRACdFGmLj0n66njq6C7EYz+2ttDxOIoAoJqT
c6rq6L099BiKVLu5zKlDeC66
=wTxj
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list