generating RSA key sizes > 4096

Ido Rosen ido at kernel.org
Thu Dec 5 04:59:53 CET 2013


There is another compelling reason to add the larger key sizes as a
compile-time option:  The purpose of this patch is not to change the
default maximum for everyone, but to remove the incentive for a large
subset of GnuPG users to use third-party, untrusted patches/code to
get a feature that is supposed to enhance security for their use case.
 The patch in bug #1573 provides a compile-time option to allow users
to set the maximum key size supported to greater than the default
maximum if they want to.

This is about more than key sizes:  If downstream users of GnuPG are
regularly and routinely patching the GnuPG code with external,
untrusted code to add a feature that is beneficial to a large subset
of GnuPG users (since the majority of GnuPG users are probably not on
mobile phones or 10+ year old computers), then for the purpose of
preventing GnuPG users from having to monkeypatch their GnuPG with
patches the implications of which they may not fully understand
themselves, we should make that it a compile-time option.

I don't even mind if you modify the patch to make it a *hidden*
compile-time option.  My only desire in submitting the patch is to
return control of the actual GnuPG code that is running in the wild to
the core GnuPG developers rather than untrusted third parties, by
removing the need for a patch to obtain this feature.

Cheers,
Ido



More information about the Gnupg-devel mailing list