DSA keys limited to 3072 bits in GnuPG -- should have harder failure mode?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Sep 29 16:33:36 CEST 2010

On 09/29/2010 04:44 AM, Werner Koch wrote:
> On Tue, 28 Sep 2010 19:23, dkg at fifthhorseman.net said:
>> in writing up a little benchmarking script, i noticed that DSA keys are
>> limited to 3072 bits max.
> That is per FIPS 186-3.

yup, understood.

>> The attached patch is a proposal to fail hard in this situation.
> Which would break a couple of frontends.

frontends which currently silently fail to meet their users' requests
and proceed anyway?

> This also allows us to
> silently allow larger keys once it has been defined

at that point, you would presumably move the upper limit in the same
lines affected by the patch.

>  - despite that
> nobody will ever use DSA keys > 3072.

:)  So why not explicitly fail when people ask for them?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100929/7be571f7/attachment.pgp>

More information about the Gnupg-devel mailing list