FAQ: Re: key length

Robert J. Hansen rjh at sixdemonbag.org
Thu Jul 24 12:02:46 CEST 2014

This is just a proposal, *not* a final draft.  If this gives people
heartburn, let me know precisely what gives heartburn and I'll try to
mitigate it as best as I can.

Q: Why does GnuPG default to 2048-bit RSA?
A: Because it offers reasonable security for the next several years
   while still being compatible with the widest variety of OpenPGP

Q: What are NIST's recommendations for key sizes?
A: According to NIST Special Publication 800-57, "Recommendation for
   Key Management," published in July 2012, a 2048-bit RSA or DSA
   key is comparable in strength to 3DES.  Further, they state that
   2048-bit keys are acceptable for use through the year 2030.

Q: What are ENISA's recommendations for key sizes?
A: Slightly different, but not so much so as to be surprising.  ENISA
   is slightly more pessimistic about the long-term prospects of
   2048-bit keys, although they are careful to note 2048-bit keys are
   still daunting for an adversary.

Q: Is there a general recommendation that 3072-bit keys be used for
   new applications?
A: No, although some respected people and groups within the
   cryptographic community have made such recommendations.

Q: Why does GnuPG disregard these recommendations for 3072-bit keys?
A: We don't.  That recommendation is for *new applications*.  GnuPG
   is not a new application.  When a user generates a GnuPG certificate,
   that user becomes part of an ecosystem of existing certificates and
   a userbase that spans the globe.  In short, GnuPG is not a new

Q: Are there any plans to move to stronger keys by default?
A: Imminently.  When a version of GnuPG is released which supports
   elliptical-curve cryptography, then will be an ideal time for us
   to pause, take a deep breath, and make the transition to larger
   effective key sizes.

Q: I think I need larger key sizes.
A: By all means, feel free to generate certificates with larger keys.
   GnuPG supports up to 4096-bit keys.

Q: If GnuPG will be moving to stronger default key sizes in the near
   future via support for elliptical curves, why is there such
   controversy about what GnuPG's defaults are right now?
A: It's human nature to want things "more, better, and right now."  But
   just like in the rest of life, good things come to those who wait.
   It won't be long, we promise.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3744 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20140724/744bf616/attachment.bin>

More information about the Gnupg-devel mailing list