DSA keys limited to 3072 bits in GnuPG -- should have harder failure mode?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Sep 28 19:23:42 CEST 2010
hi folks--
in writing up a little benchmarking script, i noticed that DSA keys are
limited to 3072 bits max.
i don't see a need to do more than that myself (i just wanted to have
some comparison figures), but i was surprised to find that gpg just went
ahead and created a smaller key than requested, instead of failing outright.
printf 'Key-Type: DSA\nKey-Length: 4096\nName-Real: test\n' | \
gpg --batch --gen-key
produces the warning message:
gpg: keysize invalid; using 3072 bits
i understand gnupg needing to make things slightly stronger than the
user requested. But it seems odd that GnuPG would go ahead in a weaker
mode than requested by the user. shouldn't there be some sort of harder
failure?
The attached patch is a proposal to fail hard in this situation.
Hope this is useful!
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hard-fail-on-unsupported-DSA-size.patch
Type: text/x-diff
Size: 470 bytes
Desc: not available
URL: </pipermail/attachments/20100928/b6c26e92/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100928/b6c26e92/attachment.pgp>
More information about the Gnupg-devel
mailing list