DSA keys limited to 3072 bits in GnuPG -- should have harder failure mode?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Sep 29 16:33:36 CEST 2010
On 09/29/2010 04:44 AM, Werner Koch wrote:
> On Tue, 28 Sep 2010 19:23, dkg at fifthhorseman.net said:
>
>> in writing up a little benchmarking script, i noticed that DSA keys are
>> limited to 3072 bits max.
>
> That is per FIPS 186-3.
yup, understood.
>> The attached patch is a proposal to fail hard in this situation.
>
> Which would break a couple of frontends.
frontends which currently silently fail to meet their users' requests
and proceed anyway?
> This also allows us to
> silently allow larger keys once it has been defined
at that point, you would presumably move the upper limit in the same
lines affected by the patch.
> - despite that
> nobody will ever use DSA keys > 3072.
:) So why not explicitly fail when people ask for them?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100929/7be571f7/attachment.pgp>
More information about the Gnupg-devel
mailing list