[PATCH] agent: Respect --enable-large-secmem

Werner Koch wk at gnupg.org
Wed Dec 7 08:32:53 CET 2016

On Tue,  6 Dec 2016 22:02, dkg at fifthhorseman.net said:

> patch is applied and we configure with --enable-large-secmem.  Are you
> suggesting that we'd need a runtime argument to gpg-agent in order to be
> able to generate such a large key?  I'm fine with never generating them,
> as long as people who have them can import them and use them.

We have the --enable-large-rsa option in gpg and thus it would be
logically to do have same in gpg-agent:


       With --gen-key and --batch, enable the creation of RSA secret
       keys as large as 8192 bit.  Note: 8192 bit is more than is
       generally recommended.  These large keys don't significantly
       improve security, but they are more expensive to use, and their
       signatures and certifications are larger.  This option is only
       available if the binary was build with large-secmem support.

By screening I meant to limit crypto operations to keys of a certain
size to avoid that one connection can stall processing of other
connections by using huge keys.  The hard limit imposed by Libgcrypt are
16 kbits but artificially limiting computing to 8k _may_ be useful.
Unfortunately there are a few even larger keys, which have been the
reason for introducing the above mentioned option.  Thus we would need
an option to override such a limit. 

Probably best not to do anything in gpg-agent. 



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161207/d830a615/attachment.sig>

More information about the Gnupg-devel mailing list