FAQ: Re: key length

Bernhard Reiter bernhard at intevation.de
Wed Aug 13 12:00:42 CEST 2014


On Friday 08 August 2014 at 10:44:01, Werner Koch wrote:
> On Fri,  8 Aug 2014 09:45, bernhard at intevation.de said:
> > So what is the common weakest link then?
> > The symmetric cipher, the entropy source, the implementation issues in
> > software and hardware (like side channel attacks)?
>
> The ubiquitous exploitable bugs in all software, the OS, the MUAs, the
> "apps", the browser running foreign code on your box, social
> engineering, etc.

I know that there are several deep branches in a general attack tree,
but this is beside the point. Even if there are weaker spots, it seems sane to 
try to keep the crypto part that GnuPG is responsible for strong.

> > OpenPGP system to be so strong that is provides 10 years security.
> > At least my actions I can control.
>
> Never connect to the Net and you have a chance to control things.

Again, this is not an argument I can easily understand. But this is what I am 
trying to do: Find a good chain of arguments, so that I and others can 
understand and validate themselfs that the current choice of GnuPG's default 
key length is a good one. Or come back with a better chain of arguments.
And then: Write them down, for more people to question and research them.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140813/16b4ac5a/attachment-0001.sig>


More information about the Gnupg-devel mailing list