Is ECC ready and increase the default RSA key size to 3072 bits?

Bernhard Reiter bernhard at
Thu Apr 25 08:42:13 CEST 2019

Am Freitag 19 April 2019 15:50:13 schrieb Daniel Kahn Gillmor:
> GnuPG master already defaults RSA keys to 3072 bits,

> I agree that it makes sense to do this on the 2.2 branch.

FWIW I also agree to switch the default.
It matches modern recommendations for mid/long term security, 
e.g. from

This is even when considering the FAQ linked

| Will GnuPG ever support RSA-3072 or RSA-4096 by default?
|Probably not. 

|Every minute we spend arguing about whether we should change the defaults 
|to RSA-3072 or more is one minute the shift to ECC is delayed. 

Is ECC ready to be the default?
My estimation is: It is not, and then we should switch the default to RSA3072
until it is.

My estimation is based on:
* There are some GNU/Linux LTS distros in use that still have GnuPG 2.0
  (E.g. Jessie, but probably others. Could be examined)
* Ed25519 and Curve25519 are not in an agreed standard (as 4880bis is not
  ready and probably won't be for a while) While I blieve it is okay to
  move forward, other implementations may not be because of the missing
  standard. Example: OpenPGPjs just has a young implementation
  (Dec 2018 saw a major security release version 4.3.0)

Best Regards,

--   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Gnupg-devel mailing list