FAQ: Re: key length

Achim Pietig achim at pietig.com
Sun Aug 3 09:51:22 CEST 2014


there ist still some confusion on the supported key length in the card.
All cards that are sold by Kernelconcepts and have a manufacturer ID from Zeitcontrol (V2.0 and above)
are developed by me and tested by Werner Koch. They support RSA up to 4096 bit - 2048 is the default (still enough for many years).

Older versions of gnupg support only 3072 bit RSA, this was solved in a version last year (2.x branch).

To use other key lenght in the card you have to change the length indicator in the Extended capabilities of the card with the command PUT DATA.
Each key (sign, dec, auth) has its own length and can be set individual, read the specification .

After setting the length indicator, gey generation will use the new value or keys with that value can be imported.

Other cards from different vendors may not support this feature...


Am 03.08.2014 um 03:47 schrieb Robert J. Hansen:
>> This makes me curious: Is there an example for an OpenPGP
>> implementation that only support <= 2048-bit RSA keys? Still in
>> usage?
> Yes.  My smartcard, for instance, only supports 2048-bit RSA.  Larger
> keys can't be migrated to them.
>> I haven't read the ENISA recommendation in full length. If they
>> allow 2048 bit for old applications or up to a specific point, it
>> would be an improvement to say so. It may make sense to directly link
>> to their recommendation paper.
> I'll see about digging up a specific reference.
>> You may consider using a different word here. As someone who speaks
>> English as a foreign language, I had to look "imminently" up to be
>> sure about its meaning.
> Easy enough to accommodate.  :)
>> Wasn't there something about the current OpenPGP smartcards only
>> being able to deal with 3072-bit keys?
> Some can support 3072-bit RSA.  Many can only do RSA-2048.
>> I recommend to leave out the next question and answer, it does not
>> add much significant information.
> Eh.  I think it has a point, but I can definitely work on making that
> point more clear.
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel

More information about the Gnupg-devel mailing list