GnuPG cryptographic defaults on the 2.2 branch

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Sep 21 18:18:31 CEST 2017


On Thu 2017-09-21 17:53:36 +0200, Kristian Fiskerstrand wrote:
> Social problems can't be solved solely using technical means, and there
> is a severe lack of education/knowledge on security aspects such as,
> inter alia, operational security.

agreed, sadly.

> Granted that is just as true for 2048 bit keylength, but thinking
> increasing it to 3072 bit has a noticeable impact on the actual
> security for the user on its own doesn't compute for me

weak crypto defaults can actually *discourage* operational security,
because some people come up with "why bother when the key is able to be
cracked anyway".  I'm not saying that RSA-2048 should be considered
trivially breakable, but an argument about how unsophisticated users
experience choices of cryptographic defaults actually cuts both ways.

> and in some cases it can reduce the security as it isn't compatible
> with certain hardware tokens (like youbikey 3 neo).

Users with a yubikey (or other hardware tokens) will make keys that will
fit onto their devices.  I don't think that the default is an issue for
them.

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170921/cc77b01d/attachment.sig>


More information about the Gnupg-devel mailing list