Changing GPG's default key type

[David Shaw]

Hi,

Currently, GPG's default key type, the one that is recommended to all  
new users, is a DSA primary key (1024 bits - not "DSA2") with an  
Elgamal subkey.  We are currently thinking about changing the default  
primary to a 2048-bit RSA key.

The main benefits of changing the key type is that it can go past the  
1024 bit DSA1 limit, and would also not be limited to a 160-bit hash,  
both of which are getting a little long in the tooth.  We could get  
similar benefits with a DSA2 key, but DSA2 is not nearly as widely  
implemented as RSA is, so is not a good option for a default key at  
this time.  We will of course continue supporting DSA2 (and DSA "1")  
as we do now.  This is purely a question of what the default key  
should be.

This is not directly prompted by the recent SHA-1 troubles, but it is  
somewhat related, as it would let users of the default key type use  
hashes larger than 160 bits.  That said, this is not intended to be a  
fix for the SHA-1 problems.  We are not proposing changing our default  
signing hash, which will remain SHA-1.

After a bit of internal discussion, we thought it was worth mentioning  
this here, to see if the community had any issue or other comments.  I  
don't expect this to be a particularly controversial move, but  
discussion is always welcome.

One issue, of course, is that RSA is not a required key type in  
OpenPGP, so there could be some implementation out there that won't be  
able to handle it.  I'm not terribly concerned about this, as in  
practice, the vast majority of code has handled RSA just fine for the  
past decade, and if a particular user needs to generate a non-RSA key,  
they can still do so.
There are a few other details (RSA signatures are physically larger,  
etc), but I believe they are outweighed by the benefit of the larger  
key and additional hash flexibility.

David