The key size warning

Michael Young mwy-gpg41 at
Wed Mar 27 00:36:01 CET 2002

Hash: SHA1

> From: "Robert J. Hansen" <rjhansen at>
> 768-bit keys should, IMO, flag a warning about "This key is far below
> the recommended keysize".  But that's it.

I agree.  If I *really* want a smaller key, despite the warning,
why should it be GnuPG's job to prevent me?  I can buy the
argument that some programs should protect the incurably stupid,
but GnuPG is just chock-full of options that can be horribly misused
already.  A protectionist policy seems out of place.

I have a relatively short key for low-value material I may
keep on my Palm device.  I'm willing to let someone spend
$1B (or even $1M) if they really want this material, but I'm not
willing to wait minutes to get my data.  (Some perhaps, but not all.)

I actually have a 384-bit key that I've used as an MDC.  (It won't
cost you very much to break this.  Heck, for $1, I'll give you the
secret key myself. :-) You could argue that I should use a new key
that gets automatic MDC treatment, or force GnuPG to use an MDC, but
sometimes I need to use a pre-MDC product.  So, I sign with a
ridiculously short key.  I'd have generated an even shorter one, but
this was the lower limit for PGP2.6.

No, not everybody needs to do these things.  But should I really
have to dig up an antique product or roll my own key generator
if this is what I really want to do?

Version: PGP Personal Privacy 6.5.3


More information about the Gnupg-devel mailing list