[PATCH] gpg: Actually allow generation of 8192-bit rsa keys

Luis Ressel aranea at aixah.de
Tue Jan 24 21:46:05 CET 2017

On Tue, 24 Jan 2017 21:04:27 +0100
Werner Koch <wk at gnupg.org> wrote:

> On Tue, 24 Jan 2017 17:45, aranea at aixah.de said:
> > Currently, get_keysize_range() returns 4096 as an upper bound for
> > the size of RSA keys even if the option --enable-large-rsa is in
> > use. Therefore, interactive generation of 8192-bit RSA keys is
> > currently  
> Right, that is by design.  Read
> <https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096> to
> read why we even don't default to 4096.
> If you somehow have a demand for RSA > 4096 bit you will also have the
> experts at hand which can figure out how to create such keys with
> GnuPG and how are able to implement the OPSEC which you surely need
> with such demands.

Well, I am aware that the get_keysize_range() restriction does not
apply to batch mode; but I had assumed it was a simple oversight that
get_keysize_range() does not check the large_rsa flag.

In the meantime, I've been informed the same patch has been submitted
previously by others; apologies for not doing any research on this
first. (By the way, it might be a good idea to add a comment to
get_keysize_range() to inform readers that this is a conscious UI
decision and not a bug.)


More information about the Gnupg-devel mailing list